CA/Forbidden or Problematic Practices: Difference between revisions

CA/Forbidden or Problematic Practices (view source)

Revision as of 21:35, 25 June 2010

1,007 bytes removed , 25 June 2010

→‎OCSP Responses signed by a certificate under a different root

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 83: / Line 83: @@
 CAs who issue certificates with OCSP URLs in AIA extensions should make sure that the OCSP responses conform to RFC 2560, and work correctly for Mozilla users without requiring the user to find and install the OCSP responder's certificate, that is, the certificate with which the OCSP response signatures are verified.
+RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain.  NSS enforces these requirements exactly.
 When an OCSP responder URL is included in end-entity certificates, Firefox 3 will by default attempt to check the certificate's status via OCSP.  If the OCSP signer certificate is not the certificate of the CA that issued the certificate in question and is not issued by the CA that issued the certificate in question, the OCSP check will fail with an NSS error code for OCSP, such as SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST or SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE.
@@ Line 88: / Line 90: @@
 For a detailed explanation about why an OCSP responder should not use a self-signed OCSP responder certificate and depend on Trusted Responder Mode within the Firefox browser, see: [[CA:OCSP-TrustedResponder|Details about OCSP Trusted Responder Mode.]]
-RFC 2560, sections 2.2, 2.6, 3.2 and 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain.  NSS enforces these requirements exactly.
+Please test your OCSP responder within the Firefox browser by enforcing OCSP as per our [[CA:Recommended_Practices#OCSP|CA Recommended Practices for OCSP.]]
-Please be sure to test your OCSP responder within the Firefox browser by enforcing OCSP:  Tools->Options…->Advanced->Encryption->Validation. Select the box for “When an OCSP server connection fails, treat the certificate as invalid”
-Errors that CAs sometimes encounter when testing OCSP in Firefox:
-* Error code: sec_error_ocsp_unauthorized_response
-** Please read section 4.2.2.2 "Authorized Responders" on pages 10-11 of RFC 2560. NSS strictly enforces the 3 rules at the bottom of page 10, and gives this error code when the response does not conform to those rules.
-* Error code: sec_error_ocsp_bad_http_response
-** That error message appears because the OCSP responder responds to the OCSP request with an error.
-* Error code: sec_error_ocsp_invalid_signing_cert
-** OCSP Signing cert has not been imported. Mozilla users should not have to find and install the OCSP responder's certificate. See above.
-* Error code: sec_error_bad_database
-** If you were trying to find/fetch something, it cannot be found.
-** If you were trying to store something, there is already such a thing in the DB, and your attempt to store it would overwrite that other thing.
 === CRL with critical CIDP Extension ===

CA/Forbidden or Problematic Practices: Difference between revisions

CA/Forbidden or Problematic Practices (view source)

Revision as of 21:35, 25 June 2010

Navigation menu

Search