Bonjour, Le vendredi 20 septembre 2019 22:20:02 UTC+2, Curt Spann a écrit : [...] > My interpretation is a “revoked” OCSP response should be used in the > following conditions: [...] > 2. When the OCSP request contains an issuerNameHash and issuerKeyHash for > which the OCSP responder IS authoritative and the CA corresponding to the > issuerNameHash and issuerKeyHash has been revoked.
A CA is not revoked, only certificates are. A CA can have several certificates, all sharing the same subject name while public keys may be identical or different, chaining to identical or different Trust Anchors, and some of the certificates issued to the CA might have been revoked while others are still valid. Returning a revoked answer whenever a CA certificate is revoked regardless of the status of all the other certificates is not going to work. RFC6960 includes some provisions in clause 2.7 regarding CA key compromise, and in such condition, the OCSP responder MAY return a revoked status. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy