|
|
|
|
|
|
by Ajedi32
135 days ago
|
|
|
That's not allowed. > To qualify as a dedicated TLS server authentication PKI hierarchy under this policy: > All corresponding unexpired and unrevoked subordinate CA certificates operated beneath an applicant root CA MUST: > [...] > when disclosed to the CCADB… > [...] > on or after June 15, 2025, include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth. > [...] > NOT contain a public key corresponding to any other unexpired or unrevoked certificate that asserts different extendedKeyUsage values. https://googlechrome.github.io/chromerootprogram/policy-arch... |
|
|
According to Google. Why do they get to dictate this?
Per the current (2.2.2) CAB requirements [1], §7.1.2.10.6, "CA Certificate Extended Key Usage": id-kp-clientAuth is a MAY.
If I was (say) Let's Encrypt I would (optionally?) allow it and dare Google/Chrome to remove my root certificate. Letting bullies get away with this kind of non-sense only encourages them.
[1] https://cabforum.org/working-groups/server/baseline-requirem...