On Wed, Apr 6, 2022 at 12:09 AM 'Vijay Kumar' via [email protected] <[email protected]> wrote:
> I believe this is an acceptable response and there is no problem. > Can you explain why you believe this is? What standards or resources support this interpretation? I realize that's a very direct/blunt way of asking a question, but mostly, it's useful to include the evidence/thought process with the "I believe" statements. It's totally fine to be wrong - no one is going to get everything right all of the time - but the more explanation about how/why conclusions were reached, the more we can do to improve the guidance or figure out where processes are failing. > The OCSP response are signed via dedicated responder cert (not the CA), > and hence it contains this cert data. Else the OCSP verification fails. > Containing a certificate is different than indicating that mimetype. The mimetype indicates the URL contains a particular format. Looking at https://www.iana.org/assignments/media-types/media-types.xhtml , we can see application/x-x509-ca-cert was registered by https://www.rfc-editor.org/rfc/rfc8894.html , which https://www.rfc-editor.org/rfc/rfc8894.html#name-registration-of-the-applica indicates this is a legacy synonym to application/pkix-cert, and the expectation is a DER certificate. Meanwhile, https://datatracker.ietf.org/doc/html/rfc6960#appendix-C.2 is quite clear that the expected MIME type for an OCSP response is application/ocsp-response , and is required by https://datatracker.ietf.org/doc/html/rfc6960#appendix-A.2 -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHFubwf48wq2aMbwBwf3hSTQK8geE-Ta-ymXwtgG6Ynj8w%40mail.gmail.com.
