2020-07-02 10:40 GMT-04:00 Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org>: > On Thu, Jul 2, 2020 at 10:34 AM Paul van Brouwershaven via > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > I did do some testing on EKU chaining in Go, but from my understand this > > works the same for Microsoft: > > > > Go has a bug https://twitter.com/FiloSottile/status/1278501854306095104
Yep. In fact, Go simply doesn't have an OCSP verifier. We should fix that! I filed an issue: https://golang.org/issues/40017 <https://github.com/golang/go/issues/40017> The pieces are there (OCSP request serialization and response parsing, signature verification, a chain builder) but the logic stringing them together is not. That includes building the chain without requesting the EKU up the path, and then checking the EKU only on the Responder itself. It's unfortunate that the Mozilla requirement (that the Responder must be an EE) is not standard, because that would have allowed the OCSP EKU to work like any other, nested up the chain, but that's just not how it works and it's too late to change, so it has to be special-cased out of the chain nesting requirement, or it wouldn't be possible to mint an Intermediate that can in turn mint Responders, without making the Intermediate a Responder itself. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy