CA/Forbidden or Problematic Practices: Difference between revisions

CA/Forbidden or Problematic Practices (view source)

867 bytes added , 22 October 2008

m

Confirmed users, Administrators

5,526

edits

@@ Line 40: / Line 40: @@
 Some OCSP implementations use a Trusted Responder, in which the OCSP response is signed by a certificate under a different root. In this case, the requester has to explicitly trust the OCSP responder by trusting the separate root. When an OCSP Responder URL is included in end-entity certificates, Firefox 3 will by default attempt to check the certificate's status via OCSP.  If the OCSP signer certificate does not chain up to a trusted root, the OCSP check will fail with the error sec_error_ocsp_malformed_request.
+=== CRL with critical CIDP Extension ===
+Currently Firefox will not be able to load a CRL into the local database when the CRL Issuing Distribution Point extension is flagged as critical. When attempting to load a CRL with the critical CIDP, Firefox will return the error code ffffe095, which is equivalent to the negative decimal number -8043. According to the [http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html NSS Error Codes] this error corresponds to SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION.
+The NSS team is working on implementing the code that will understand and use the CIDP extension. There will also have to be changes in Firefox to make this work. However, older versions of Firefox will not be able to load CRLs with critical CIDP extensions.
+Our recommendation is to remove the critical flag from the CIDP extension of your CRL.