[cabfpub] Mozilla SHA-1 further restrictions

Rob Stradling rob.stradling at comodo.com
Fri Nov 18 16:20:41 UTC 2016

On 18/11/16 16:09, Erwann Abalea wrote:
>>>>    60 |        | id-kp-OCSPSigning
>>> Wait, what?
>> Depressing, isn't it.
> This is a Microsoft issue. I don’t remember the exact details, but either Microsoft PKI can’t generate a dedicated OCSP responder out of a CA if the CA certificate is « EKU-constrained » without containing the id-kp-OCSPSigning, or Microsoft relying parties can’t validate an OCSP response signed by such a responder.
> A consequence of the « EKU constraints ».

It's the former, and there's a workaround (which we've used successfully):
Use an untrusted root to issue an unconstrained intermediate with the 
same Subject/PublicKey as the trusted, constrained intermediate (that 
lacks the OCSP Signing EKU OID).  Having then installed the untrusted, 
unconstrained intermediate into your Microsoft CA environment, use it to 
issue an OCSP responder cert.  Then you can use that OCSP responder cert 
in conjunction with your trusted, constrained intermediate.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list