(In reply to National Development Council from comment #4)
Thank you for the response.
This issue are addressed in the CABForum at F2F meeting 44. We are also discussing the EKU issue with Microsoft now.
Since these certificates are used in our e-government service (not TLS), but there is no suitable EKU for general purpose digital signature and encryption.
GPKI are willing to put EKUs in all end-entity certificates, but as far as we know there is no international standard or IETF RFC has defined general purposed document signing and data encryption EKU.
The Document Signing EKU(22.214.171.124.4.1.3126.96.36.199) and Encryption File System(EFS) EKU(188.8.131.52.4.1.3184.108.40.206) are not general purposed EKU.
1.Document Signing EKU(220.127.116.11.4.1.318.104.22.168) is used in signing Microsoft Software Office Document and is not suitable for general-purposed document or message signing.
It appears that Adobe also has their own document signing EKU - 1.2.840.113522.214.171.124 Why can't both the Microsoft and Adobe EKUs be included in these certificates? Adobe also supports the codeSigning EKU , and that would exempt these certificates from Mozilla policy.
2.Enctiption File System(EFS) EKU(126.96.36.199.4.1.3188.8.131.52) is used to by Microsoft Windows Encryption File System(EFS), is suitable for general-purposed) file or data encryption.
What software other than Windows needs to rely on these certificates but fails if the EKUs listed above are asserted?
We completely understand and respect the Mozilla's Root Store Policy. Although these certificates used in e-government service don't have EKU, we have technically constraints that these certificates have no domain name / IP address in SANs and CN. Technically these certificate can't be used in TLS, and browser would not confuse with these certificate. We would like to kindly ask that these certificates are not treated as misissued certificates.
I understand that there is a reason, but these are still misissued certificates. Please provide an incident report as requested in comment #1.
We would make the decision about the EKU issue as soon as possible.
What is your timeline for remediating this problem?