On Thu, Jul 2, 2020 at 10:34 AM Paul van Brouwershaven via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I did do some testing on EKU chaining in Go, but from my understand this > works the same for Microsoft: > Go has a bug https://twitter.com/FiloSottile/status/1278501854306095104 The understanding for Microsoft isn't correct, as linked earlier in the reference materials. > Microsoft requires the EKU to be present in issuing CA certificates: > *Issuing CA certificates that chain to a participating Root CA must be > constrained to a single EKU (e.g., separate Server Authentication, S/MIME, > Code Signing, and Time Stamping uses. This means that a single Issuing CA > must not combine server authentication with S/MIME, code signing or time > stamping EKU. A separate intermediate must be used for each use case. > > https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#a-root-requirements > < > https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#a-root-requirements > > > (8)* > Did you paste the wrong section? This doesn't seem to be consistent with what you're saying, and perhaps it was just a bad copy/paste? Even if quoting Microsoft policy, how do you square this with: "A CA must technically constrain an OCSP responder such that the only EKU allowed is OCSP Signing." (from that same section) Did you read the related thread where this was previously discussed on m.d.s.p.? Technically constraining issuing CA’s based on the EKU as Microsoft > requires feels like a good thing to do. But if we leave out the OCSPSigning > EKU we must leave out all EKU constraints (and talk to Microsoft) or move > away from delegated OCSP signing certificates and all move to CA signed > responses. That's not correct, and is similar to the mistake I originally/previously made, and was thankfully corrected on, which also highlighted the security-relevant nature of it. I encourage you to give another pass at Robin's excellent write-up, at https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/XQd3rNF4yOo/bXYjt1mZAwAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy