On Thu, 2 Jul 2020 at 16:41, Ryan Sleevi <r...@sleevi.com> wrote: > > On Thu, Jul 2, 2020 at 10:34 AM Paul van Brouwershaven via > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > >> I did do some testing on EKU chaining in Go, but from my understand this >> works the same for Microsoft: >> > > Go has a bug https://twitter.com/FiloSottile/status/1278501854306095104 > > The understanding for Microsoft isn't correct, as linked earlier in the > reference materials. >
I wasn't aware that this would be for ADCS only. The Windows certificate viewer doesn't validate the purpose but after a quick test with the powershell command Test-Certificate, it does look to validate the EKU path on Windows 10: Get-ChildItem -Path Cert:\currentUser\addressbook\63D6AEAD044E9D720930D7F814B7C74DBB541572 | Test-Certificate -User -AllowUntrustedRoot -EKU "1.3.6.1.5.5.7.3.9" WARNING: Chain status: CERT_TRUST_IS_NOT_VALID_FOR_USAGE Test-Certificate : The certificate is not valid for the requested usage. 0x800b0110 (-2146762480 CERT_E_WRONG_USAGE) At line:1 char:94 + ... DBB541572 | Test-Certificate -User -AllowUntrustedRoot -EKU "1.3.6.1. ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:Certificate) [Test-Certificate], Exception + FullyQualifiedErrorId : CryptographicError,Microsoft.CertificateServices.Commands.TestCertificate (the certificates in the test above are from the chain generated by my previous example) > >> Microsoft requires the EKU to be present in issuing CA certificates: > > >> *Issuing CA certificates that chain to a participating Root CA must be >> constrained to a single EKU (e.g., separate Server Authentication, S/MIME, >> Code Signing, and Time Stamping uses. This means that a single Issuing CA >> must not combine server authentication with S/MIME, code signing or time >> stamping EKU. A separate intermediate must be used for each use case. >> >> https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#a-root-requirements >> < >> https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#a-root-requirements >> > >> (8)* >> > > Did you paste the wrong section? This doesn't seem to be consistent with > what you're saying, and perhaps it was just a bad copy/paste? Even if > quoting Microsoft policy, how do you square this with: "A CA must > technically constrain an OCSP responder such that the only EKU allowed is > OCSP Signing." (from that same section) > No, it does state that the EKU for other purposes must be set in the ussing CA, my point here is that when you set these it does exclude OCSP signing. The other item of the policy you refer to is confusing as it doesn't seem to make a difference between CA signed and CA delegated responses, it might even prohibit CA signed responses? > Did you read the related thread where this was previously discussed on > m.d.s.p.? > > Technically constraining issuing CA’s based on the EKU as Microsoft >> requires feels like a good thing to do. But if we leave out the >> OCSPSigning >> EKU we must leave out all EKU constraints (and talk to Microsoft) or move >> away from delegated OCSP signing certificates and all move to CA signed >> responses. > > > That's not correct, and is similar to the mistake I originally/previously > made, and was thankfully corrected on, which also highlighted the > security-relevant nature of it. I encourage you to give another pass at > Robin's excellent write-up, at > https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/XQd3rNF4yOo/bXYjt1mZAwAJ > Thanks, it's an interesting thread, but as shown above, Windows does validate the EKU chain, but doesn't look to validate it for delegated OCSP signing certificates? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy