[cabfpub] Name Constraints, Auditing and EKU
Rob Stradling
rob.stradling at comodo.com
Tue Apr 23 21:28:51 UTC 2013
On 23/04/13 21:50, Ryan Hurst wrote:
<snip>
> Additionally notice the logic is gated by the signing key; even in CA
> delegated the delegated responder can not sign for any other CA in the
> hierarchy -- only those within its scope.
>
> I am confident Windows behaves this way
Disagree.
~30% of the Root Certificates distributed by the Microsoft Root
Certificate Program are enabled by default for the "OCSP Signing" trust
purpose. AIUI, this means that they are trusted to sign (or issue
Delegated OCSP Response Signer certs that can sign) OCSP Responses _for
any cert that chains to any trusted Root_!!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list