Thanks Paul, Corey, Ryan. The responses analysed by us led to believe that 'OCSP response containing certificate value in the ocsp response is causing the issue'. We were wondering that it is right, as RFC 6960 permits OPTIONAL certificate value in the response. Some of our sample tests gave us proper MIME Type response (different certs). Hence, was trying to ask if there is something in the 'OCSP watch' code, when a different responder certificate is used.
Sorry about the confusion here. It looks there was problem in the OCSP URL, which is being worked now. It was giving a different content-type response impacting some of the certificate issuances recently. The incident details would be published separately. Sorry about the blunt way of asking question. As we know, the non-native English speakers usually lead to drafting the questions in improper manner. But this is a great advise and it would have been helpful if I had elaborated my understanding / belief in first instance itself. Thanks. Vijay. On Wednesday, April 6, 2022 at 6:33:20 PM UTC+5:30 Ryan Sleevi wrote: > On Wed, Apr 6, 2022 at 12:09 AM 'Vijay Kumar' via [email protected] > <[email protected]> wrote: > >> I believe this is an acceptable response and there is no problem. >> > > Can you explain why you believe this is? What standards or resources > support this interpretation? > > I realize that's a very direct/blunt way of asking a question, but mostly, > it's useful to include the evidence/thought process with the "I believe" > statements. It's totally fine to be wrong - no one is going to get > everything right all of the time - but the more explanation about how/why > conclusions were reached, the more we can do to improve the guidance or > figure out where processes are failing. > > >> The OCSP response are signed via dedicated responder cert (not the CA), >> and hence it contains this cert data. Else the OCSP verification fails. >> > > Containing a certificate is different than indicating that mimetype. The > mimetype indicates the URL contains a particular format. > > Looking at https://www.iana.org/assignments/media-types/media-types.xhtml > , we can see application/x-x509-ca-cert was registered by > https://www.rfc-editor.org/rfc/rfc8894.html , which > https://www.rfc-editor.org/rfc/rfc8894.html#name-registration-of-the-applica > indicates this is a legacy synonym to application/pkix-cert, and the > expectation is a DER certificate. > > Meanwhile, https://datatracker.ietf.org/doc/html/rfc6960#appendix-C.2 is > quite clear that the expected MIME type for an OCSP response is > application/ocsp-response , and is required by > https://datatracker.ietf.org/doc/html/rfc6960#appendix-A.2 > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6e4bee12-3b74-4bca-8760-c9a92f4b03bfn%40mozilla.org.
