At 6:21 PM +0100 3/5/08, Jean-Marc Desperrier wrote:
>Paul Hoffman wrote:
>> [...]
>> For this to work, Microsoft path validation also checks that the end
>> certificate is consistent with the EKU property of the root. This part
>> adds to X.509 and rfc 3280bis.
>
>:s/adds to/conflicts with/
A
Paul Hoffman wrote:
> [...]
> For this to work, Microsoft path validation also checks that the end
> certificate is consistent with the EKU property of the root. This part
> adds to X.509 and rfc 3280bis.
:s/adds to/conflicts with/
> [...]
> The normal case is that the root certificate does not
Paul Hoffman wrote, On 2008-03-04 07:49:
> Here is a slightly edited version of what a lead security developer
> at Microsoft told me with regard to EKUs and path processing. [snip]
> Every root certificate is stored with some properties that are not
> cryptographically bound to the certificate, b
Paul Hoffman wrote:
> For this to work, Microsoft path validation also checks that the end
> certificate is consistent with the EKU property of the root. This part
> adds to X.509 and rfc 3280bis. A certificate is considered consistent
> with the root EKU if each CA certificate in the path eithe
Here is a slightly edited version of what a lead security developer
at Microsoft told me with regard to EKUs and path processing.
To the core issue. Does EKU need to be in the root certificate. The
answer is: no.
Every root certificate is stored with some properties that are not
cryptographica
At 11:39 PM +0100 3/1/08, Jean-Marc Desperrier wrote:
>Nelson Bolyard a écrit :
>> Every root CA has EKU info associated with it, limiting the applications
>> for that CA.
>
> From their document :
>"We will attach EKU metadata to the certificate as metadata in the
>Windows certificate store so
Nelson Bolyard a écrit :
> Every root CA has EKU info associated with it, limiting the applications
> for that CA.
From their document :
"We will attach EKU metadata to the certificate as metadata in the
Windows certificate store so you do not need to regenerate your root
certificate with the E
Frank Hecker wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>> Interesting also that they covered issues we've touched recently here,
>> one might think that they actively monitor this mailing list ;-)
>>
>
> You can remove the smiley; I know for a fact that Microsoft folks were
> indeed followin
Eddy Nigg (StartCom Ltd.) wrote:
> Nelson Bolyard wrote:
>> FYI, The documents for Microsoft's Root Certificate program
>> http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true
>>
>>
>> were updated somewhat recently. Very interesting reading.
> Interesting also that the
Nelson Bolyard wrote:
> FYI, The documents for Microsoft's Root Certificate program
> http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true
> were updated somewhat recently. Very interesting reading.
>
> They require annual audits.
>
> Every root CA has EKU info associated
FYI, The documents for Microsoft's Root Certificate program
http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true
were updated somewhat recently. Very interesting reading.
They require annual audits.
Every root CA has EKU info associated with it, limiting the applications
11 matches
Mail list logo
