undefined | Better HN

0 pointsAjedi322mo ago0 comments

That's not allowed.

> To qualify as a dedicated TLS server authentication PKI hierarchy under this policy:

> All corresponding unexpired and unrevoked subordinate CA certificates operated beneath an applicant root CA MUST:

> [...]

> when disclosed to the CCADB…

> [...]

> on or after June 15, 2025, include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.

> [...]

> NOT contain a public key corresponding to any other unexpired or unrevoked certificate that asserts different extendedKeyUsage values.

https://googlechrome.github.io/chromerootprogram/policy-arch...

0 comments

throw0101a2mo ago

> That's not allowed.

According to Google. Why do they get to dictate this?

Per the current (2.2.2) CAB requirements [1], §7.1.2.10.6, "CA Certificate Extended Key Usage": id-kp-clientAuth is a MAY.

If I was (say) Let's Encrypt I would (optionally?) allow it and dare Google/Chrome to remove my root certificate. Letting bullies get away with this kind of non-sense only encourages them.

[1] https://cabforum.org/working-groups/server/baseline-requirem...

j / k navigate · click thread line to collapse

0 comments

throw0101a2mo ago

> That's not allowed.

According to Google. Why do they get to dictate this?

Per the current (2.2.2) CAB requirements [1], §7.1.2.10.6, "CA Certificate Extended Key Usage": id-kp-clientAuth is a MAY.

If I was (say) Let's Encrypt I would (optionally?) allow it and dare Google/Chrome to remove my root certificate. Letting bullies get away with this kind of non-sense only encourages them.

[1] https://cabforum.org/working-groups/server/baseline-requirem...

j / k navigate · click thread line to collapse