On Thu, Jul 2, 2020 at 1:15 PM Paul van Brouwershaven < p...@vanbrouwershaven.com> wrote:
> That's not correct, and is similar to the mistake I originally/previously >> made, and was thankfully corrected on, which also highlighted the >> security-relevant nature of it. I encourage you to give another pass at >> Robin's excellent write-up, at >> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/XQd3rNF4yOo/bXYjt1mZAwAJ >> > > Thanks, it's an interesting thread, but as shown above, Windows does > validate the EKU chain, but doesn't look to validate it for delegated OCSP > signing certificates? > The problem is providing the EKU as you're doing, which forces chain validation of the EKU, as opposed to validating the OCSP response, which does not. A more appropriate test is to install the test root R as a locally trusted CA, issue an intermediate I (without the EKU/only id-kp-serverAuth), issue an OCSP responder O (with the EKU), and issue a leaf cert L. You can then validate the OCSP response from the responder cert (that is, an OCSP response signed by the chain O-I-R) for the certificate L-I-R. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
