Hi Vijay, RFC 6960, Appendix A.2 says:
“An HTTP-based OCSP response is composed of the appropriate HTTP headers, followed by the binary value of the DER encoding of the OCSPResponse. The Content-Type header has the value "application/ocsp-response".” I believe this is clear guidance that the Content-Type must be “application/ocsp-response” regardless of whether delegated responder certificates are used. Thanks, Corey From: 'Vijay Kumar' via [email protected] <[email protected]> Sent: Wednesday, April 6, 2022 12:10 AM To: [email protected] Cc: Andrew Ayer <[email protected]> Subject: Re: Introducing OCSP Watch to Monitor OCSP Responder Reliability Hi Andrew, Thanks for this work. We had a check on the counts coming under our name (eMudhra). The problem indicated for all certs are "OCSP response has invalid content type application/x-x509-ca-cert". I believe this is an acceptable response and there is no problem. The OCSP response are signed via dedicated responder cert (not the CA), and hence it contains this cert data. Else the OCSP verification fails. Appreciate if you/someone can suggest if I'm missing something here. Regards, Vijay On Tuesday, March 22, 2022 at 8:44:58 PM UTC+5:30 Andrew Ayer wrote: Recently, we've seen several CA incidents related to the failure to provide OCSP responses, such as not operating OCSP services for abandoned certificate orders <https://bugzilla.mozilla.org/show_bug.cgi?id=1758027>, or publishing OCSP responses with lengthy delays <https://bugzilla.mozilla.org/show_bug.cgi?id=1758372>. To smoke out these issues, I've created OCSP Watch, which continuously audits a sample of unexpired certificates found in Certificate Transparency logs to make sure CAs are correctly operating OCSP services. OCSP Watch has identified over 1,000 certificates issued by 20 distinct CAs for which the CA is not providing a valid OCSP response. The list of certificates can be found here: https://sslmate.com/labs/ocsp_watch/ OCSP responses are considered valid if the responder returns a response within 10 seconds that can be successfully parsed by Go's golang.org/x/crypto/ocsp <http://golang.org/x/crypto/ocsp> package, and has a status of Good or Revoked. CAs should examine the above list and file an Incident Report if necessary. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d039e4b0-e009-46fd-9402-a9e107a8fb75n%40mozilla.org <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d039e4b0-e009-46fd-9402-a9e107a8fb75n%40mozilla.org?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB2186F299C8D1EC8B32AB62E192E79%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
