In the WebPKI ecosystem I have seen a wide range of OCSP responses for OCSP requests using SHA256 for the issuerNameHash and issuerKeyHash. I have observed the following types of OCSP responses: 1. “good” response with issuerNameHash and issuerKeyHash using SHA256 2. “good” response with issuerNameHash and issuerKeyHash using SHA1 3. “unknown” response containing the correct SHA256 issuerNameHash and issuerKeyHash but signed with an incorrect OCSP signing cert (chains to different authority) 4. “unauthorized” response 5. “malformedrequest” response
I would like to have a discussion with the community about what is thought to be the correct response. Of the various responses I have observed I think the correct response is number 1. I would also like to know if others have seen other variants of OCSP responses for request using SHA256 for the issuerNameHash and issuerKeyHash. Supporting info RFC 6960: https://tools.ietf.org/html/rfc6960 - 4.1.1. ASN.1 Specification of the OCSP Request RFC 2560: https://tools.ietf.org/html/rfc2560 - 4.1.1 Request Syntax - Curt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
