On Wed, Sep 4, 2019 at 11:06 AM Ben Wilson <ben.wil...@digicert.com> wrote:
> I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder > certificate itself (not the CA that issues the OCSP responder certificate). > I don't think I've encountered a problem before, but I guess it would > depend > on the implementation? Correct. Mozilla does not require the EKU chaining, in technical implementation or in policy. The aforementioned comments, however, indicate CAs have reported that Microsoft does. That is, the assertion is that Microsoft requires that issuing CAs bear an overlapping set of EKUs that align with their issued certificates, whether subordinate CAs, end-entity, or OCSP responders. Mozilla requires the same thing with respect to id-kp-serverAuth, but the Mozilla code has a special carve-out for id-kp-OCSPSigning that both doesn't require it on intermediate CAs, but also allows it to be present, precisely because of the presumed Microsoft requirement. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy