Please test your OCSP responder within the Firefox browser by enforcing OCSP as per our [[CA:Recommended_Practices#OCSP|CA Recommended Practices for OCSP.]]
=== CRL with critical CIDP Extension SHA-1 Certificates ===SHA-1 certificates may be compromised when attackers can create a fake cert that hashes to the same value as one with a legitimate signature, and is hence trusted. Mozilla can mitigate this potential vulnerability by turning off support for SHA-1 based signatures. The SHA-1 root certificates don’t necessarily need to be removed from NSS, because the signatures of root certificates are not validated (roots are self-signed). Disabling SHA-1 will impact intermediate and end entity certificates, where the signatures are validated.
Currently Firefox handles "full" CRLsThere are still many end entity certificates that would be impacted if support for SHA-1 based signatures was turned off. Therefore, but not "partitioned" CRLs. Partitioned CRLs we are identified by the presence of a CRL Issuing Distribution Point (CIDP) extension flagged as critical. Firefox is not presently able hoping to load CRLs with critical CIDP extensions. When attempting give CAs time to load a CRL with a critical CIDP extensionreact, Firefox will return the error code ffffe095, which is equivalent and are planning to the negative decimal number turn off support for SHA-80431 based signatures in 2017. According to the [http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html NSS Error Codes] Note that Mozilla will take this error corresponds action earlier if needed to SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSIONkeep our users safe.
The NSS team hopes to eventually implement partitioned CRLsCA should not be issuing new SHA-1 certificates, and when that work is done, Firefox should allow CRLs with critical CIDP extensions. However, even when that is done, older versions be migrating their customers off of Firefox will still not be able to load CRLs with critical CIDP extensionsSHA-1 intermediate and end-entity certificates.
Our recommendation is If the CA still needs to not put critical CIDP extensions into full CRLsissue SHA-1 certificates for compatibility reasons, and to make full CRLs available for download when practicalthen those SHA-1 certificates should expired before 2017.
=== Generic names for CAs ===
