> Le 18 nov. 2016 à 16:34, Rob Stradling via Public <[email protected]> a > écrit : > > On 18/11/16 15:26, Gervase Markham wrote: >> On 18/11/16 15:04, Rob Stradling wrote: >>> crt.sh currently has 302 CA certificates that contain the >>> id-kp-clientAuth EKU OID >> >> I think you mean id-kp-emailProtection here, from your figures... > > Yeah, I did. Sorry about that. > >>> and that are trusted by Microsoft and/or> Mozilla and/or Apple. >>> >>> Here's a summary of the EKU OIDs contained in those 302 intermediate certs: >>> >>> count | x509_extkeyusages | purpose >>> -------+--------------------------+-------------------------------- >>> 302 | 1.3.6.1.5.5.7.3.4 | id-kp-emailProtection >>> 284 | 1.3.6.1.5.5.7.3.2 | id-kp-clientAuth >>> 104 | 1.3.6.1.5.5.7.3.1 | id-kp-serverAuth >> >> People make certs usable for both serverAuth and email/clientAuth? :-| > > Sadly. Do you want any more details? > >>> 60 | 1.3.6.1.5.5.7.3.9 | id-kp-OCSPSigning >> >> Wait, what? > > Depressing, isn't it.
This is a Microsoft issue. I don’t remember the exact details, but either Microsoft PKI can’t generate a dedicated OCSP responder out of a CA if the CA certificate is « EKU-constrained » without containing the id-kp-OCSPSigning, or Microsoft relying parties can’t validate an OCSP response signed by such a responder. A consequence of the « EKU constraints ». Cordialement, Erwann Abalea _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
