On Sun, Jan 21, 2018 at 5:59 PM, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > > >> On Jan 21, 2018, at 2:40 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote: >> >>> OpenSSL interprets the "extendedKeyUsage" extension in CA certificates >>> as a restriction on the allowed extended key usages of leaf certificates >>> that can be issued by that CA. >>> >>> You should typically not specify extended key usage for CA certificates >>> at all, unless you mean to restrict them to specific purposes. >> >> The behavior is inconsistent with RFC 5280: >> >> 4.2.1.12. Extended Key Usage >> >> This extension indicates one or more purposes for which the certified >> public key may be used, in addition to or in place of the basic >> purposes indicated in the key usage extension. In general, this >> extension will appear only in end entity certificates. This >> extension is defined as follows ... > > We're well aware of this, but this is the de-facto behaviour of > multiple implementations. This is an area in which RFC5280 fails > to match the real world. Apparently everyone did not get the memo :) Maybe OpenSSL should allow users to choose between IETF issuing policies and CA/Browser BR issuing policies. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
