On Fri, Jul 10, 2020 at 12:01 PM ccampetto--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Wouldn't be enough to check that OCSP responses are signed with a > certificate which presents the (mandatory, by BR) id-pkix-ocsp-nocheck? > I've not checked, but I don't think that subordinate CA certificates have > that extension You're describing a behaviour change to all clients, in order to work around the CA not following the profile. This is a common response to many misissuance events: if the client software does not enforce that CAs actually do what they say, then it's not really a rule. Or, alternatively, that the only rules should be what clients enforce. We see this come up from time to time, e.g. certificate lifetimes, but this is a way of externalizing the costs/risks onto clients. None of this changes what clients, in the field, today do. And if the problem was caused by a CA, isn't it reasonable to expect the problem to be fixed by the CA? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy