Do we believe that an affected CA should open a bug report? The situation is an edge case: as long as the OCSP responder didn't receive a requested for such a specific URL, it didn't fail and the CA is compliant to the BRs but as soon as it received such a request once, the CA is not compliant anymore. How do you feel?
/Rufus [email protected] schrieb am Mittwoch, 13. Oktober 2021 um 02:58:16 UTC+2: > Corey Bonnell writes: > > >RFC 5019 leverages GET requests to improve cacheability [1]. Given the > >performance benefits of implementing RFC 5019, this is likely why the BRs > >mandate that CAs must support HTTP GET for their responders. > > Ah, right, and since 5019 removes the replay-protection nonces it would > make > the whole thing cacheable while non-5019 OCSP with nonces wouldn't be. The > reason I brought it up is that SCEP has run into problems with GET, see the > note at https://datatracker.ietf.org/doc/html/rfc8894.html#section-4.1, > which > are typically very hard to diagnose because of the conditions under which > they > occur. > > Peter. > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/74cd5180-15db-42c8-9f9e-16857944857cn%40mozilla.org.
