On 16/12/16 21:22, Ryan Sleevi wrote: > "The nextUpdate of the OCSP response must be before or equal to the > notAfter date of all certificates included within the > BasicOCSPResponse.certs field, or, if the certs field is omitted, > before or equal to the notAfter date of the CA certificate which > issued the certificate that the BasicOCSPResponse is for" > > Is that materially the same as what you wanted to say (modulo my > terrible wording)? I can still see potential issues, but I don't want > to over-optimize for them quite yet if others think the above works.
Yep, that's it, I think. (Well, it was Brian who reported that this caused issues sometimes but, based on my now-expanded understanding of the situation from your email, I think this is what is meant. But Brian can correct me if that's wrong.) The wording above seems OK to me, but if you can improve it, go right ahead :-) Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
