On Wed, Sep 4, 2019 at 11:06 AM Ben Wilson <ben.wil...@digicert.com> wrote:

> I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder
> certificate itself (not the CA that issues the OCSP responder certificate).
> I don't think I've encountered a problem before, but I guess it would
> depend
> on the implementation?

Correct. Mozilla does not require the EKU chaining, in technical
implementation or in policy. The aforementioned comments, however, indicate
CAs have reported that Microsoft does. That is, the assertion is that
Microsoft requires that issuing CAs bear an overlapping set of EKUs that
align with their issued certificates, whether subordinate CAs, end-entity,
or OCSP responders. Mozilla requires the same thing with respect to
id-kp-serverAuth, but the Mozilla code has a special carve-out for
id-kp-OCSPSigning that both doesn't require it on intermediate CAs, but
also allows it to be present, precisely because of the presumed Microsoft
dev-security-policy mailing list

Reply via email to