[cabfpub] Mozilla SHA-1 further restrictions
Gervase Markham
gerv at mozilla.org
Fri Nov 18 14:35:45 UTC 2016
On 18/11/16 14:16, Doug Beattie wrote:
> Gerv,
>
> Are you specifically concerned about the id-kp-emailProtection and
> what needs to be combined with that, or is the issue what's the total
> set of EKUs that might be needed? In other words, do you care less
> if a CA has all of the below except id-kp-emailProtection?
Well, it doesn't sound very sensible to me, but I'm not sure why
Mozilla's policy would care :-)
> By the way, we have the same challenge with our SSL CAs - there's a
> set of EKUs we'd like to include in SSL certs to support Domain
> Controllers and VPN servers.
Are we still talking about SHA-1 issuance here? I don't think Mozilla
has EKU restrictions for non-SHA-1 issuance...
Gerv
More information about the Public
mailing list