Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
SecurityEngineering/mozpkix-testing (view source)
Revision as of 18:41, 21 September 2015
, 21 September 2015→Things for CAs to Fix
| Line 104: | Line 104: | ||
#* Related Bugs: {{Bug|1025625}}, {{Bug|997509}} | #* Related Bugs: {{Bug|1025625}}, {{Bug|997509}} | ||
# All times in all certificates must be encoded in a way that conforms to the stricter requirements in RFC 5280. In particular, the timezone must always be specified as "Z" (Zulu/GMT). | # All times in all certificates must be encoded in a way that conforms to the stricter requirements in RFC 5280. In particular, the timezone must always be specified as "Z" (Zulu/GMT). | ||
#* Related Bugs: {{Bug|1152515}} | #* Related Bugs: {{Bug|1152515#c15}}, {{Bug|1085238#c4}}, {{Bug|1019770}} | ||
#* Beginning in Firefox 33, mozilla::pkix enforces the requirement that the timezone always be specified as "Z". However, there may be some UX and certificate viewer cleanup needed to make this more clear, as per {{Bug|1152515#c15}} and {{Bug|1152515#c16}} | |||
# When signing OCSP responses with a delegated OCSP response signing certificate, ensure that the delegated OCSP response signing certificate will not expire before the OCSP response expires. Otherwise, when doing OCSP stapling, some servers will cache the OCSP response past the point where the delegated response signing certificate expires, and then Firefox will reject the connection. | # When signing OCSP responses with a delegated OCSP response signing certificate, ensure that the delegated OCSP response signing certificate will not expire before the OCSP response expires. Otherwise, when doing OCSP stapling, some servers will cache the OCSP response past the point where the delegated response signing certificate expires, and then Firefox will reject the connection. | ||
#* Related Bugs: {{Bug|1046223}} | #* Related Bugs: {{Bug|1046223}} | ||