New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lint for Microsoft PKI policy EKU separation #360

Open

sleevi opened this issue Jan 15, 2020 · 0 comments

Assignees

Labels

Contributor

sleevi commented Jan 15, 2020

See https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#4-program-technical-requirements , 11 and 12
11.

New intermediate CA certificates under root certificates submitted for distribution by the Program must separate Server Authentication, S/MIME, Code Signing, and Time Stamping uses. This means that a single intermediate-issuing CA must not be used to issue server authentication, S/MIME, code signing and time stamping certificates. A separate intermediate must be used for each use case.

Rollover root certificates, or certificates which are intended to replace previously enrolled but expired certificates, will not be accepted if they combine server authentication with code signing uses unless the uses are separated by application of Extended Key Uses ("EKU"s) at the intermediate CA certificate level that are reflected in the whole certificate chain.

The 'effective date' for new in Item 11 is 2015-07-23, as per Version 2.0 of the Microsoft Trusted Root Program Requirements that introduced this requirement.

sleevi added the new-lint label

sleevi mentioned this issue

Coverage for Microsoft PKI policy requirements #363

Open

5 tasks

zakird assigned christopher-henderson

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment