[Servercert-wg] [cabfpub] Using OV TLS server certificate as TLS client certificates only
Ryan Sleevi
sleevi at google.com
Thu Apr 29 21:26:22 UTC 2021
On Thu, Apr 29, 2021 at 4:58 PM Kurt Roeckx <kurt at roeckx.be> wrote:
> id-kp-clientAuth is defined as "TLS WWW client authentication",
> but it's also being used for things that are not related to www.
> It would be better that for server to server authentication, you
> create a new EKU, and that it's specific to a certain use case.
>
Very much, yes.
This applies whether you're using a PKI special for your trust framework
(definitely, the recommended approach, same as you would use a separate PKI
for, say, passport issuance) or you're using a generic PKI. The combination
of both a distinct, per-trust framework EKU and certificatePolicy OID,
together, are necessary to ensure solid and secure technical
implementation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210429/e1c7cd67/attachment.html>
More information about the Servercert-wg
mailing list