Confirmed users
299
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
→Behavior Changes
| Line 81: | Line 81: | ||
# End-entity certificates that contain the EKU extension are now required to assert the serverAuth bit. | # End-entity certificates that contain the EKU extension are now required to assert the serverAuth bit. | ||
# End-entity certificates are no longer allowed to include the OCSPSigning EKU. | # End-entity certificates are no longer allowed to include the OCSPSigning EKU. | ||
# If an intermediate certificate contains the EKU extension, and that intermediate certificate will be used to issue SSL/TLS certificates, then the EKU must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) bit or the Netscape Server Gated Crypto bit (support for NSGC is provided temporarily for backward compatibility). | # If an intermediate certificate contains the EKU extension, and that intermediate certificate will be used to issue SSL/TLS certificates, then the EKU must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) bit or the Netscape Server Gated Crypto bit (support for NSGC is provided temporarily for backward compatibility). {{Bug|982292}} | ||
= Things for CAs to Fix = | = Things for CAs to Fix = | ||