[cabfpub] Name Constraints, Auditing and EKU
Rob Stradling
rob.stradling at comodo.com
Thu Apr 25 19:28:11 UTC 2013
On 25/04/13 17:42, Erwann Abalea wrote:
> Le 23/04/2013 23:28, Rob Stradling a écrit :
>> On 23/04/13 21:50, Ryan Hurst wrote:
>> <snip>
>>> Additionally notice the logic is gated by the signing key; even in CA
>>> delegated the delegated responder can not sign for any other CA in the
>>> hierarchy -- only those within its scope.
>>>
>>> I am confident Windows behaves this way
>>
>> Disagree.
>>
>> ~30% of the Root Certificates distributed by the Microsoft Root
>> Certificate Program are enabled by default for the "OCSP Signing"
>> trust purpose. AIUI, this means that they are trusted to sign (or
>> issue Delegated OCSP Response Signer certs that can sign) OCSP
>> Responses _for any cert that chains to any trusted Root_!!
>
> Interested by this information, I parsed the CAB file containing the
> root certificates distributed by Microsoft. Attached to every root
> certificate is a set of EKU, and yes, 81 root certificate (among 352) do
> have the id-kp-ocspSigning EKU associated with them.
> Does that really mean that these root certificates can act as a "Trusted
> Responder" for all the roots?
Hi Erwann. I've exchanged a few emails with Ryan off-list, and he is
sure that the answer is "No". And I hope he's right!
But if he's right, then I think that means that assigning the "OCSP
Signing" trust purpose to a Root Certificate in the Windows Trusted Root
Store has absolutely no effect whatsoever. Why provide a feature that
does nothing?
I would like to understand how to configure "Independent OCSP Signer" in
Windows, but I haven't managed to find any documentation.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list