Bonjour,

Le vendredi 20 septembre 2019 22:20:02 UTC+2, Curt Spann a écrit :
[...]
> My interpretation is a “revoked” OCSP response should be used in the 
> following conditions:
[...]
> 2. When the OCSP request contains an issuerNameHash and issuerKeyHash for 
> which the OCSP responder IS authoritative and the CA corresponding to the 
> issuerNameHash and issuerKeyHash has been revoked.

A CA is not revoked, only certificates are. A CA can have several certificates, 
all sharing the same subject name while public keys may be identical or 
different, chaining to identical or different Trust Anchors, and some of the 
certificates issued to the CA might have been revoked while others are still 
valid. Returning a revoked answer whenever a CA certificate is revoked 
regardless of the status of all the other certificates is not going to work.

RFC6960 includes some provisions in clause 2.7 regarding CA key compromise, and 
in such condition, the OCSP responder MAY return a revoked status.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to