Clarify that non-TLS leaf Certificates are not allowed to be issued from a server TLS-capable Issuing CA

cabforum / servercert

Repository for the CA/Browser Forum Server Certificate Chartered Working Group

https://cabforum.org/working-groups/scwg/

130 stars 105 forks source link

Clarify that non-TLS leaf Certificates are not allowed to be issued from a server TLS-capable Issuing CA #532

Open dzacharo opened 1 month ago

dzacharo commented 1 month ago

The TLS BRs need to clearly state that it is not allowed to issue non-TLS leaf Certificates from server TLS-capable Issuing CAs, not even single-purpose "client authentication" leaf Certificates (end-entity certificates with just the id-kp-clientAuth EKU), which was allowed before SC-62.

github-actions[bot] commented 1 month ago

This issue was created based on:

TLS BR Version 2.0.5
EVG Version 2.0.1

CBonnell commented 1 month ago

This is either closely related or a duplicate of #495.

robstradling commented 1 month ago

@dzacharo "not allowed to issue non-TLS leaf Certificates from server TLS-capable Issuing CAs" would disallow the issuance of OCSP Signer Certificates from Server TLS-capable Issuing CAs. I presume that's not your intent?