Skip to Content.
Sympa Menu

cacert-policy - Re: Uncontroversial changes to the CPS

Subject: Policy-Discussion

List archive

Re: Uncontroversial changes to the CPS


Chronological Thread 
  • From: Duane Groth <duane AT groth.net>
  • To: Michael Tänzer <michael.taenzer AT cacert.org>
  • Cc: cacert-policy AT lists.cacert.org, Ian G <iang AT cacert.org>
  • Subject: Re: Uncontroversial changes to the CPS
  • Date: Thu, 27 Oct 2011 10:52:50 +1100

On 27/10/11 02:58, Michael Tänzer wrote:
On 26.10.2011 08:11, Ian G wrote:
On 25/10/11 22:50 PM, Michael Tänzer wrote:
Change
"extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC"
to "extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC"

Reasoning:
Client certificates should not be used for the server authentication in
TLS therefore the serverAuth part should be dropped. If you need it use
a server certificate which has it. Dropping this is not as critical however.
I wonder what the application is?

I posted to Duane and he said:

     "Well this would instantly break email server certs which need both
     cli and server, and they were the reason for adding it in the first
     place."
Hmm, I'm pretty sure that for "email servers" (I guess SMTP is meant
here) you need a server not a client certificate (i.e. one for
CN="mail.example.com" not CN="Alex Admin"). This would indeed be a case
to keep the _clientAuth_ on the _server certificates_ but not to keep
the serverAuth on the client certs. The emailProtection is  not needed
by an SMTP server as it doesn't do S/MIME, only transport encryption (TLS).

@Duane can you confirm my interpretation?

Yes, my comment was in regard to dropping client credentials on server certificates, specifically SMTP.



Archive powered by MHonArc 2.6.16.

Top of Page