When validating the EKU using `Test-Certificate` Windows states it's invalid, but when using `certutil` it's accepted or not explicitly checked. https://gist.github.com/vanbroup/64760f1dba5894aa001b7222847f7eef
When/if I have time I will try to do some further tests with a custom setup to see if the EKU is validated at all. On Thu, 2 Jul 2020 at 19:26, Ryan Sleevi <r...@sleevi.com> wrote: > > > On Thu, Jul 2, 2020 at 1:15 PM Paul van Brouwershaven < > p...@vanbrouwershaven.com> wrote: > >> That's not correct, and is similar to the mistake I originally/previously >>> made, and was thankfully corrected on, which also highlighted the >>> security-relevant nature of it. I encourage you to give another pass at >>> Robin's excellent write-up, at >>> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/XQd3rNF4yOo/bXYjt1mZAwAJ >>> >> >> Thanks, it's an interesting thread, but as shown above, Windows does >> validate the EKU chain, but doesn't look to validate it for delegated OCSP >> signing certificates? >> > > The problem is providing the EKU as you're doing, which forces chain > validation of the EKU, as opposed to validating the OCSP response, which > does not. > > A more appropriate test is to install the test root R as a locally trusted > CA, issue an intermediate I (without the EKU/only id-kp-serverAuth), issue > an OCSP responder O (with the EKU), and issue a leaf cert L. You can then > validate the OCSP response from the responder cert (that is, an OCSP > response signed by the chain O-I-R) for the certificate L-I-R. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy