[Servercert-wg] Aligning the BRs with existing Browser Requirements
Ryan Sleevi
sleevi at google.com
Tue Oct 15 10:09:41 MST 2019
Another example was highlighted with respect to authority key identifier
extensions
The requirements on authorityKeyIdentifiers are updated to align with
Mozilla
- RFC 5280 requires that the authorityKeyIdentifier MUST be present in
all certificates, except for self-signed certificates used as trust
anchors, and MUST contain a keyIdentifier field.
- Mozilla Policy prohibits certificates from simultaneously having a
keyIdentifier and authorityCertIssuer+authorityCertSerialNumber fields (
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices
)
You can see this change in isolation at
https://github.com/sleevi/cabforum-docs/commit/0bc0eab88ea456d2582a915cf77a09aa5d645a89
,
or the overall set of changes continue to be available at
https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191015/e99cb1c0/attachment.html>
More information about the Servercert-wg
mailing list