CA/Forbidden or Problematic Practices: Difference between revisions

CA/Forbidden or Problematic Practices (view source)

1,093 bytes added , 12 March 2010

Confirmed users, Administrators

5,526

edits

@@ Line 70: / Line 70: @@
 For a detailed explanation about why an OCSP responder should not use a self-signed OCSP responder certificate and depend on Trusted Responder Mode within the Firefox browser, see: [[CA:OCSP-TrustedResponder|Details about OCSP Trusted Responder Mode.]]
+RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain.  NSS enforces these requirements exactly.
+Please be sure to test your OCSP responder within the Firefox browser by enforcing OCSP:  Tools->Options…->Advanced->Encryption->Validation. Select the box for “When an OCSP server connection fails, treat the certificate as invalid”
+Errors that CAs sometimes encounter when testing OCSP in Firefox:
+* Error code: sec_error_ocsp_unauthorized_response
+** Please read section 4.2.2.2 "Authorized Responders" on pages 10-11 of RFC 2560. NSS strictly enforces the 3 rules at the bottom of page 10, and gives this error code when the response does not conform to those rules.
+* Error code: sec_error_ocsp_bad_http_response
+** That error message appears because the OCSP responder responds to the OCSP request with an error.
+* Error code: sec_error_ocsp_invalid_signing_cert
+** OCSP Signing cert has not been imported. Mozilla users should not have to find and install the OCSP responder's certificate. See above.
 === CRL with critical CIDP Extension ===