We have re-issued and installed the
certificates of our OCSP responders: now they have the id-pkix-ocsp-nocheck
extension, as per BR 1.1 section 13.2.5.
Adriano
Il 18/03/2014 01:08, Kathleen Wilson ha
scritto:
On 3/13/14, 3:23 AM, Adriano Santoni - Actalis S.p.A.
wrote:
See below:
Il 13/03/2014 01:09, Erwann Abalea ha scritto:
When requesting the OCSP responder to
check the subscriber certificate
(thus signed by the intermediate), the response contains a
self-signed
certificate for your intermediate CA, instead of the
"root-issued"
genuine one. Why? It can make some software reject your
responses
(even if they shouldn't).
Right. We will fix it shortly.
The authorized OCSP responders
certificates don't contain the
mandatory OCSPNoCheck extension (BR 1.1, section 13.2.5).
We forgot that extension, will reissue the responder certificate
at the
earliest.
Please let us know when these have been addressed.
Does anyone else have feedback on this request from Actalis to
enable EV treatment for the “Actalis Authentication Root CA” root
certificate?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
|
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
