All,
I intend to address a minor issue in this batch of changes for MRSP v. 2.8.
Currently, section 5.2 of the MRSP says,
"CAs MUST NOT generate the key pairs for end-entity certificates that
have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or
anyExtendedKeyUsage." However, if the CA is creating end-entity certificates for itself, e.g. certificates for test websites as required by section 2.2 of the Baseline Requirements, then this language presents a problem. See
https://github.com/mozilla/pkipolicy/issues/238
Here is proposed language to address this issue, add to the end of the phrase above, "unless the certificate is being issued to the CA itself."
Please review.
Thanks,
Ben Wilson