Hi, While I was connected to an IPv6-only network I noticed, that some CAs (e.g. Amazon, DigiCert, GoDaddy, QuoVadis) do not provide IPv6 on their CRL and OCSP endpoints. This means that certificate revocation does not work if you have no IPv6 or, depending on your security policy (e.g. require valid OCSP response), you get a lot of false positives.
Currently there is no section in the CA BR that requires dual-stack for CRL/OCSP. However, IPv6-only environments do exist and they will increase in future. So I wonder if you're aware of this issue and if there are any plans for mitigation. Best regards,
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
