[cabfpub] Mozilla SHA-1 further restrictions
Rob Stradling
rob.stradling at comodo.com
Fri Nov 18 16:20:41 UTC 2016
On 18/11/16 16:09, Erwann Abalea wrote:
<snip>
>>>> 60 | 1.3.6.1.5.5.7.3.9 | id-kp-OCSPSigning
>>>
>>> Wait, what?
>>
>> Depressing, isn't it.
>
> This is a Microsoft issue. I don’t remember the exact details, but either Microsoft PKI can’t generate a dedicated OCSP responder out of a CA if the CA certificate is « EKU-constrained » without containing the id-kp-OCSPSigning, or Microsoft relying parties can’t validate an OCSP response signed by such a responder.
> A consequence of the « EKU constraints ».
It's the former, and there's a workaround (which we've used successfully):
Use an untrusted root to issue an unconstrained intermediate with the
same Subject/PublicKey as the trusted, constrained intermediate (that
lacks the OCSP Signing EKU OID). Having then installed the untrusted,
unconstrained intermediate into your Microsoft CA environment, use it to
issue an OCSP responder cert. Then you can use that OCSP responder cert
in conjunction with your trusted, constrained intermediate.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list