[cabfpub] Name Constraints, Auditing and EKU

Rob Stradling rob.stradling at comodo.com
Wed Apr 24 09:37:59 UTC 2013

On 23/04/13 23:16, Piyush Jain wrote:
>> ~30% of the Root Certificates distributed by the Microsoft Root
> Certificate
>> Program are enabled by default for the "OCSP Signing" trust purpose.
> [Piyush]  I was unable to find ant root certificates with OCSP signing
> enabled in CAPI store.

Your CAPI store probably just hasn't needed to pull in any of these 
Roots yet.

Try browsing to https://www.turktrust.com.tr and then look at the trust 
purposes of the TURKTrust Root that will have just been silently added 
to your CAPI trusted root store.

>> this means that they are trusted to sign (or issue Delegated OCSP Response
>> Signer certs that can sign) OCSP Responses _for any cert that chains to
> any
>> trusted Root_!!
> [Piyush]  This may not be the correct interpretation. If clients are
> accepting OCSP responses in this way, they are certainly not following RFC
> 2560.

Agreed.  It's non-standard behaviour that Microsoft call "Independent 
OCSP Signer".


> OCSP signing delegation does not extend beyond one level. So having OCSP
> signing enabled in a root does not imply that OCSP responses signed by that
> root can be used to validate certificates that chain up under a different
> root.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list