On Sun, 18 Aug 2019, 07:18 Matt Palmer via dev-security-policy, <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Aug 15, 2019 at 05:58:56PM +, Doug Beattie via
> dev-security-policy wrote:
> > Shouldn’t the large enterprises that see a value in identity (as
> > does GlobalSign) drive
Thanks Tim, well written and I completely agree!
In this thread Issues have been raised about that EV validation is not
perfect and that criminals can obtain an EV certificate (if they reveal
their identity). I also agree that the validation can be improved, but as
Tim stated, that doesn't mean
I did do some testing on EKU chaining in Go, but from my understand this
works the same for Microsoft:
An OCSP responder certificate with Extended Key Usage OCSPSigning, but an
issuing CA without the EKU (result: certificate specifies an incompatible
key usage)
On Thu, 2 Jul 2020 at 16:41, Ryan Sleevi wrote:
>
> On Thu, Jul 2, 2020 at 10:34 AM Paul van Brouwershaven via
> dev-security-policy wrote:
>
>> I did do some testing on EKU chaining in Go, but from my understand this
>> works the same for Microsoft:
>>
>
&
When validating the EKU using `Test-Certificate` Windows states it's
invalid, but when using `certutil` it's accepted or not explicitly checked.
https://gist.github.com/vanbroup/64760f1dba5894aa001b7222847f7eef
When/if I have time I will try to do some further tests with a custom setup
to see if
>
> Some tests were performed by Paul van Brouwershaven
> > https://gist.github.com/vanbroup/84859cd10479ed95c64abe6fcdbdf83d.
>
> As mentioned, those tests weren’t correct. I’ve provided sample test cases
> to several other browser vendors, and heard back or demonstrated that
> they’re
openssl (Ubuntu & MacOS): Accepts the response
ocspcheck (MacOS): Accepts the response
Output and script located on:
https://gist.github.com/vanbroup/84859cd10479ed95c64abe6fcdbdf83d
On Mon, 6 Jul 2020 at 12:09, Dimitris Zacharopoulos
wrote:
> On 6/7/2020 11:39 π.μ., Paul van Brouwersha
For those who are interested, in contrast to the direct EKU validation with
Test-Certificate, certutil does validate the OCSP signing EKU on the
delegated OCSP signing certificate but doesn't validate the
certificate chain for the OCSP signing EKU.
Full test script and output can be found here:
Thanks for raising this issue Ryan, I'm trying to update
http://revocationcheck.com/ to cover this issue.
From my understanding:
The OCSPnocheck extension is only required for a delegated OCSP responder
certificate as it can't provide answers for itself.
For a CA certificate in (CA signed
9 matches
Mail list logo
