[cabfpub] Name Constraints, Auditing and EKU

Rob Stradling rob.stradling at comodo.com
Tue Apr 23 21:28:51 UTC 2013


On 23/04/13 21:50, Ryan Hurst wrote:
<snip>
> Additionally notice the logic is gated by the signing key; even in CA
> delegated the delegated responder can not sign for any other CA in the
> hierarchy -- only those within its scope.
>
> I am confident Windows behaves this way

Disagree.

~30% of the Root Certificates distributed by the Microsoft Root 
Certificate Program are enabled by default for the "OCSP Signing" trust 
purpose.  AIUI, this means that they are trusted to sign (or issue 
Delegated OCSP Response Signer certs that can sign) OCSP Responses _for 
any cert that chains to any trusted Root_!!

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list