See below:
Il 13/03/2014 01:09, Erwann Abalea ha scritto:
When requesting the OCSP responder to check the subscriber certificate (thus signed by
the intermediate), the response contains a self-signed certificate for your intermediate
CA, instead of the "root-issued" genuine one. Why? It can make some software
reject your responses (even if they shouldn't).
Right. We will fix it shortly.
The authorized OCSP responders certificates don't contain the mandatory
OCSPNoCheck extension (BR 1.1, section 13.2.5).
We forgot that extension, will reissue the responder certificate at the
earliest.
Thank you for pointing out those issues.
However, other CAs that are already EV-enabled in Mozilla seem to have
overlooked those issues as well.
For instance, also the OSCP response for https://www.opentrust.com is
lacking the ocsp-no-check extension in the responder certificate.
Adriano
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
