>From my point of view, the arguments at https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13642.html are as incontestable as the ones stated by Corey Bonnell here: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13541.html .
RFC5280 and RFC6960 have to be considered and thus, a certificate without KU digitalSignature is not an OCSP Responder. We can not choose what to comply with or what is mandatory or if a RFC is mandatory but BR "profiles" the RFC. And when I say "we" I mean all the players, especially the ones in the CA / Browser forum. And yes, relying parties need to check this. For its own benefit, relying parties need to understand how a proper OCSP response is made and check it properly. It is astonishing how what looks like a bad practice of (some) relying parties has mutated into a security risk at CAs side. It is not only a matter of CA's leading the solution of a, at least questionable security risk. It is a matter of working all together. It is not a secret that CA /B Forum is not living its better moments, in part, due to unilateral decisions of (again, some) browsers against the democratic (in terms of CA/B Forum bylaws) decision of a ballot. It is time to collaborate again between CAs and Browsers instead of the latelly usual (some) Browsers slapping CAs. For transparency sake, I think that it would be a nice initiative from Browsers to disclose their practices regarding the validation of OCSP Responses and working all together, improve or even design practices on this to be followed, although following RFC 5280 and RFC 6960 should be sufficient. Thanks, Chema. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
