El martes, 24 de junio de 2014 20:10:23 UTC+2, Erwann Abalea escribió: > Bonjour Moises, > > > > Le lundi 23 juin 2014 11:53:05 UTC+2, [email protected] a écrit : > > > El viernes, 20 de junio de 2014 17:07:05 UTC+2, Erwann Abalea escribió: > > > > > > > Under "ANF Global Root CA": > > > > > > > > https://kerberosns.com/cloud > > > > > > > > EV certificate is not compliant with EV Guidelines: > > > > > > [...] > > > > > > Hello, > > > > > > I'm Moises Amador, ANF's representative. > > > > > > This is the account from which officially respond. > > > > > > Erwann, thanks for taking the time to review our request. > > > We will carefully review the points you mention, and answer all soon. > > > > There's one additional point which doesn't affect Mozilla (for now), but > currently affects Microsoft. > > Your OCSP responders don't set the nextUpdate date (it's optional). This is > valid, but it has a side-effect, Microsoft CAPI considers that such responses > are obsolete, and fall back to CRL download. > > If your CRLs are invalid, as it's the case when validating "ANF SSL Sede CA1" > certificate, it becomes a security problem.
Regarding this last point, as is an optional field and also our OCSP responders do not consult CRLs, not the "nextUpdate date" field is included. Regarding the comment to "ANF SSL Sede CA1" certificate as a solution to this was proposed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
