Russ Housley <hous...@vigilsec.com> wrote:
> X.509 and RFC 5280 says that EKU is only useful in end entity
certificates.
> The CA/Browser forum says otherwise. They have defined a way for the
> EKU in CA certificates to constrain subordinate certificates.
> I prefer a different approach to such constraints, but when this was
> last discussed, it became clear that no one was going to change their
> code, so I dropped it.
Thank you for this history
> The thread from 2016 starts here:
> https://mailarchive.ietf.org/arch/msg/spasm/0UIEDAEhLK2iHNUhrH6VjDcbHmU/
I think that ietf-uta-tla13-iot will go with no EKUs in certification
authorities: useless bits for constrained IoT networks.
>> On Nov 18, 2024, at 10:28 AM, Michael Richardson <mcr+i...@sandelman.ca>
wrote:
>>
>> Signed PGP part
>>
>> Are Extended Key Usage values meaningful for root and subordinate CA
>> certificates?
>>
>>
https://www.ietf.org/archive/id/draft-ietf-uta-tls13-iot-profile-11.html#name-key-usage
>> and:
>>
https://www.ietf.org/archive/id/draft-ietf-uta-tls13-iot-profile-11.html#name-key-usage-2
>>
>> I think they might be meaningless?
>>
>> --
>> Michael Richardson <mcr+i...@sandelman.ca
<mailto:mcr+i...@sandelman.ca>> . o O ( IPv6 IøT consulting )
>> Sandelman Software Works Inc, Ottawa and Worldwide
>>
>>
>>
>>
> ----------------------------------------------------
> Alternatives:
> ----------------------------------------------------
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
