On Wed, Jul 15, 2020 at 12:30 PM Chema López via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > So, an ICA or SCA cert. without keyUsage set to digitalSignature is not an > OCSP Responder. Full stop. False. Full stop. I mentioned in my reply to Corey, but I think it's disastrous for trust for a CA to make this response. I realize you qualified this as a personal capacity, but I want to highlight you're also seeming to make this argument in a professional capacity, as highlighted by https://bugzilla.mozilla.org/show_bug.cgi?id=1649943 . My hope is that, in a professional capacity, you'll respond to that issue as has been requested. Absent a further update, it may be necessary and appropriate to have a discussion as to whether continued trust is warranted, because there's a lack of urgency, awareness, transparency, and responsiveness to this issue. I appreciate you quoting replies from the thread, but you also seem to have cherry-picked replies that demonstrate an ignorance or lack of awareness about the actual PKI ecosystem. * macOS does not require the digitalSignature bit for validating OCSP responses * OpenSSL does not require the digitalSignature bit for validating OCSP responses * GnuTLS does not require the digitalSignature bit for validating OCSP responses * Mozilla NSS does not require the digitalSignature bit for validating OCSP responses * As best I can tell, Microsoft CryptoAPI does not require the digitalSignature bit for validating OCSP responses (instead relying on pkix-nocheck) Mozilla code explicitly stated and referenced the fact that the digitalSignature bit was not only seen as not necessary, but harmful for interoperability, due to CAs. You cannot pretend these are not OCSP responders simply because you haven't issued OCSP responses (intent). They are, for every purpose, OCSP responders that are misissued. And you need to treat this with the urgency, seriousness, gravity, and trustworthiness required. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
