== OCSP ==
Mozilla does When processing an [https://datatracker.ietf.org/doc/html/rfc6960#section-2.2 OCSP response], Firefox:* Rejects the OCSP response if it contains extensions that are marked critical* Does not expect there to be CRLReasons in process any OCSP responses for TLS endextensions other than [https://datatracker.ietf.org/doc/html/rfc6962#section-3.3 1.3.6.1.4.1.11129.2.4.5 (SCT list)]* Ignores [https://datatracker.ietf.org/doc/html/rfc5280#section-entity certificates5.3 CRL entry extensions] (if they are not marked critical)
Section 7.3Mozilla:* Expects CAs to follow the [https://cabforum.2 of the org/baseline-requirements-documents/ BRs says]* Does not expect [https: ''The singleExtensions of an OCSP response MUST NOT contain the reasonCode (OID 2//www.5mozilla.29org/projects/security/certs/policy/ Mozilla Root Store Policy] section 6.21) CRL entry extension1.'' The BRs say the following in relation 1, "End-Entity TLS Certificate CRLRevocation Reasons", to also apply to certificateHold:OCSP responses* Section 7.2.2: ''the CRLReason MUST NOT be certificateHold''Does not expect consistency between OCSP and CRL revocation reason codes for a certificate* Section 7.3 (Does not do anything special for an OCSP Profile): ''the CRLReason indicated MUST contain a value permitted for CRLs, as specified in Section 7.2.2.''response indicating certificateHold
== Banned Revocation Reasons ==
