Paul Hoffman wrote: > For this to work, Microsoft path validation also checks that the end > certificate is consistent with the EKU property of the root. This part > adds to X.509 and rfc 3280bis. A certificate is considered consistent > with the root EKU if each CA certificate in the path either has an > absent EKU extension or express an EKU consistent with the intended > usage. <snip> > Microsoft chain validation honor extensions in roots an process them if > they have any relevance for path processing. Technically you can see > this as an extended validation process where we expand the inputs to the > path validation algorithm.
Right, it seems analogous to the process whereby an EV OID is stored with the preloaded root and EV policy OIDs in the end entity certs are checked against policy OIDs in the chain and against the OID associated with the root. (An absent EKU extension in an intermediate would then correspond to an anyPolicy OID in the EV case.) Thanks for passing on this information! Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
