Hi David, If you use the cert at https://crt.sh/?id=1616324 as issuer (the root itself) and run this command:
openssl ocsp -issuer 1616324.crt -serial 101010101010101100001101001101 -url http://ocsp.izenpe.com -noverify You will get back This Update: Jun 22 11:06:43 2017 GMT Next Update: Jun 22 11:06:43 2018 GMT Of course, no serverAuth certificates should be issued directly off the root, but the root is still enabled for that purpose so the responder should respond UNAUTHORIZED here (UNAUTHORIZED instead of UNKNOWN to allow the root to stay offline). On August 30, 2017 at 4:42:10 PM, David Fernandez via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: Hi Paul, can you provide what you posted, for example attaching the ocsp response. I mean if I query for a non-existant certificate, I get the following answer: openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer -serial 0x295990755083049101712519384020072382191 -url http://ocsp.izenpe.com Response verify OK 0x295990755083049101712519384020072382191: revoked This Update: Aug 30 08:36:05 2017 GMT Next Update: Sep 1 08:36:05 2017 GMT Reason: certificateHold Revocation Time: Jan 1 00:00:00 1970 GMT _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy