[cabfpub] Mozilla SHA-1 further restrictions
Gervase Markham
gerv at mozilla.org
Fri Nov 18 15:26:44 UTC 2016
On 18/11/16 15:04, Rob Stradling wrote:
> crt.sh currently has 302 CA certificates that contain the
> id-kp-clientAuth EKU OID
I think you mean id-kp-emailProtection here, from your figures...
> and that are trusted by Microsoft and/or
> Mozilla and/or Apple.
>
> Here's a summary of the EKU OIDs contained in those 302 intermediate certs:
>
> count | x509_extkeyusages | purpose
> -------+--------------------------+--------------------------------
> 302 | 1.3.6.1.5.5.7.3.4 | id-kp-emailProtection
> 284 | 1.3.6.1.5.5.7.3.2 | id-kp-clientAuth
> 104 | 1.3.6.1.5.5.7.3.1 | id-kp-serverAuth
People make certs usable for both serverAuth and email/clientAuth? :-|
> 60 | 1.3.6.1.5.5.7.3.9 | id-kp-OCSPSigning
Wait, what?
Gerv
More information about the Public
mailing list