Confirmed users, Administrators
5,526
edits
CA/CertificatePolicyV2.1: Difference between revisions
Jump to navigation
Jump to search
m
→Frequently Asked Questions
| Line 15: | Line 15: | ||
# RFC 5280 reads "In general, this extension will appear only in end entity certificates". Is it non-standard to have EKU in intermediate certificates, and will client software break when receiving such a certificate chain? | # RFC 5280 reads "In general, this extension will appear only in end entity certificates". Is it non-standard to have EKU in intermediate certificates, and will client software break when receiving such a certificate chain? | ||
#* The use of the EKU extension in intermediate certificates was discussed at length in the mozilla.dev.security.policy forum. The conclusion was that EKU is the best tool for technically constraining intermediate certificates in regards to the types of certificates they can sign. | #* The use of the EKU extension in intermediate certificates was discussed at length in the mozilla.dev.security.policy forum. The conclusion was that EKU is the best tool for technically constraining intermediate certificates in regards to the types of certificates they can sign. | ||
#** {{Bug|725351#c10}} | |||
#** https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/NetscapeCertType/mozilla.dev.security.policy/0jnELviAxxo/MJu7GV8qrdQJ | #** https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/NetscapeCertType/mozilla.dev.security.policy/0jnELviAxxo/MJu7GV8qrdQJ | ||
#** https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/EKU/mozilla.dev.security.policy/0jnELviAxxo/x9YWucysGycJ | #** https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/EKU/mozilla.dev.security.policy/0jnELviAxxo/x9YWucysGycJ | ||
#* Inclusion of EKU in CA certificates is generally allowed. NSS and CryptoAPI both treat the EKU extension in intermediate certs as a constraint on the permitted EKU OIDs in end-entity certs. Other browsers and certificate client software have been using EKU in intermediate certificates, and it has been common for enterprise subordinate CAs in Windows environments to use EKU in their intermediate certificates to constrain certificate issuance. Therefore, it is unlikely that using EKU in intermediate certificates would break other client software. | #* Inclusion of EKU in CA certificates is generally allowed. NSS and CryptoAPI both treat the EKU extension in intermediate certs as a constraint on the permitted EKU OIDs in end-entity certs. Other browsers and certificate client software have been using EKU in intermediate certificates, and it has been common for enterprise subordinate CAs in Windows environments to use EKU in their intermediate certificates to constrain certificate issuance. Therefore, it is unlikely that using EKU in intermediate certificates would break other client software. | ||