CA/Forbidden or Problematic Practices: Difference between revisions

Jump to navigation Jump to search

CA/Forbidden or Problematic Practices (view source)

Revision as of 03:58, 13 January 2009

391 bytes added ,  13 January 2009
Clarify requirements for OCSP response signatures
(CRL with critical CIDP Extension clarifications)
(Clarify requirements for OCSP response signatures)
Line 41: Line 41:
=== OCSP Responses signed by a certificate under a different root ===
=== OCSP Responses signed by a certificate under a different root ===


CAs are not required to use OCSP. However, CAs who issue certificates with OCSP URLs in AIA extensions should make sure that the OCSP responses conform to RFC 2560, and work correctly for Mozilla users without requiring the user to find and install another root.
CAs are not required to use OCSP. However, CAs who issue certificates with OCSP URLs in AIA extensions should make sure that the OCSP responses conform to RFC 2560, and work correctly for Mozilla users without requiring the user to find and install the OCSP responder's certificate, that is, the certificate with which the OCSP response signatures are verified.


Some OCSP implementations use a Trusted Responder, in which the OCSP response is signed by a certificate under a different root. In this case, the requester has to explicitly trust the OCSP responder by trusting the separate root. When an OCSP Responder URL is included in end-entity certificates, Firefox 3 will by default attempt to check the certificate's status via OCSP.  If the OCSP signer certificate does not chain up to a trusted root, the OCSP check will fail with the error sec_error_ocsp_malformed_request.
At least one CA has issued certificates with OCSP URLs that reference OCSP responders that do not serve queries from the general public, and/or send out responses that are signed with a certificate that is
* not the certificate of the CA that issued the certificate in question; and
* not issued by the CA that issued the certificate in question.
 
When an OCSP responder URL is included in end-entity certificates, Firefox 3 will by default attempt to check the certificate's status via OCSP.  If the OCSP signer certificate is not the certificate of the CA that issued the certificate in question and is not issued by the CA that issued the certificate in question, the OCSP check will fail with an NSS error code for OCSP, such as SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST or SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE.


=== CRL with critical CIDP Extension ===
=== CRL with critical CIDP Extension ===
Nelsonb
106

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/123665"

Navigation menu