[cabfpub] Issuers in BR/EV/EVCS Guideline Scope
Peter Bowen
pzb at amzn.com
Fri Apr 15 15:54:45 UTC 2016
> On Apr 15, 2016, at 6:27 AM, Gervase Markham <gerv at mozilla.org> wrote:
>
> On 14/04/16 15:35, Peter Bowen wrote:
>> I think the following two things are clearly cases when scope does
>> not confer: - Scope is not conferred after the notAfter date in the
>> CA certificate (scope expires)
>
> This would prevent the CAB Forum making a rule like "revocation
> information for revoked certificates must remain available for at least
> one month after the notAfter date in the cert”.
Yes, this is a good point, especially for durable signatures.
>> - Scope is not conferred if the CA certificate includes a properly
>> formed Extended Key Usage extension and the listed key purposes do
>> not include any of {anyExtendedKeyUsage, id-kp-serverAuth,
>> id-kp-codeSigning}
>
> Agreed. (Which is not to say all certificates which don't meet that
> criterion _are_ in scope.)
Correct.
More information about the Public
mailing list