Clarify that non-TLS leaf Certificates are not allowed to be issued from a server TLS-capable Issuing CA #532
Assignees
Labels
baseline-requirements
Server Certificate CWG - Baseline Requirements
Comments
dzacharo
added
baseline-requirements
|
This issue was created based on:
|
|
This is either closely related or a duplicate of #495. |
|
@dzacharo "not allowed to issue non-TLS leaf Certificates from server TLS-capable Issuing CAs" would disallow the issuance of OCSP Signer Certificates from Server TLS-capable Issuing CAs. I presume that's not your intent? |
|
@dzacharo I'm removing the clean-up tag. While I agree this needs to be clarified, it might entail more work then just adding one or two sentenses, for example by what Rob highlighted. Happy to drive a separate ballot for this however. Feel free to comment if you disagree |
|
Related to #506, as it involves the use of TLS-capable CA key material to include and sign entries in a CRL with a forbidden CRL reasonCode. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The TLS BRs need to clearly state that it is not allowed to issue non-TLS leaf Certificates from server TLS-capable Issuing CAs, not even single-purpose "client authentication" leaf Certificates (end-entity certificates with just the
id-kp-clientAuthEKU), which was allowed before SC-62.The text was updated successfully, but these errors were encountered: