-
Adam Langley authored
CL 71030 enforced EKU nesting at verification time, to go along with the change in name constraints behaviour. From scanning the Certificate Transparency logs, it's clear that some CAs are not getting EKU nesting correct. This change relaxes the EKU rules in a few ways: ∙ EKUs in roots are no longer checked. ∙ Any CA certificate may issue OCSP responder certificates. ∙ The ServerAuth and SGC EKUs are treated as a single EKU when checking nesting. ∙ ServerAuth in a CA can now authorise ClientAuth. ∙ The generic CodeSigning EKU can now authorise two, Microsoft-specific code-signing EKUs. Change-Id: I7b7ac787709af0dcd177fe419ec2e485b8d85540 Reviewed-on: https://go-review.googlesource.com/77330Reviewed-by:Brad Fitzpatrick <bradfitz@golang.org>
2f1de159
| Name |
Last commit
|
Last update |
|---|---|---|
| .github | ||
| api | ||
| doc | ||
| lib/time | ||
| misc | ||
| src | ||
| test | ||
| .gitattributes | ||
| .gitignore | ||
| AUTHORS | ||
| CONTRIBUTING.md | ||
| CONTRIBUTORS | ||
| LICENSE | ||
| PATENTS | ||
| README.md | ||
| favicon.ico | ||
| robots.txt |