With regards to the issues raised by Jesus F., LuxTrust proposes the
following answers :
Regarding issue #1: OCSP do not respond using GET method (BR section 13.2.2)
:
The feature is operational since 11th march 2015. We successfully made OCSP
requests using the GET method.
Regarding issue #2 : OCSP responds "good" to a non-issued certificate
(serials FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 00) (BR Section
13.2.6) :
LuxTrust’s OCSP application currently does not support this feature
(technical limitation). LuxTrust is currently analyzing the possibility of
an alternative solution / technical improvements.
Pending a technical alternative, LuxTrust would like to underline that the
risks raised by the “good” response to a non-issue certificate are mitigated
by compensatory controls: even if LuxTrust’s OCSP responder provides an
inadequate “good” response, the certificate will not pass the step of
validation of the CA information (trust anchor) because the certificate is
not signed by LuxTrust’s CA (provided that the certificate validation check
is compliant with RFC 5280, section 6.1 Basic path validation).
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
