[Servercert-wg] [External Sender] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri May 17 09:22:27 UTC 2024
On 16/5/2024 10:29 μ.μ., Clint Wilson wrote:
>> AFAIK Apple and Mozilla also don't have a specific "trust bit" for Client Authentication. Only Microsoft does.
> FWIW, Apple does indeed have a specific trust bit for id-kp-clientAuth EKU and allows for (and ships) dedicated clientAuth Root CAs in the Apple Root Program (as outlined in 2.1.3 of the ARP Policy).
>
Thanks for the correction Clint. I had the impression that you shipped
only Apple Roots for clientAuth. My bad.
Dimitris.
More information about the Servercert-wg
mailing list