Hi Vijay, You might want to check RFC 6960 appendix A - OCSP over HTTP:
*An HTTP-based OCSP response is composed of the appropriate HTTPheaders, followed by the binary value of the DER encoding of theOCSPResponse. The Content-Type header has the value"application/ocsp-response". The Content-Length header SHOULDspecify the length of the response. Other HTTP headers MAY bepresent and MAY be ignored if not understood by the requestor.* - https://datatracker.ietf.org/doc/html/rfc6960#appendix-A.2 - https://datatracker.ietf.org/doc/html/rfc6960#appendix-C Paul On Wednesday, 6 April 2022 at 06:09:36 UTC+2 [email protected] wrote: > Hi Andrew, > > Thanks for this work. We had a check on the counts coming under our name > (eMudhra). The problem indicated for all certs are "OCSP response has > invalid content type application/x-x509-ca-cert". > > I believe this is an acceptable response and there is no problem. The OCSP > response are signed via dedicated responder cert (not the CA), and hence it > contains this cert data. Else the OCSP verification fails. > > Appreciate if you/someone can suggest if I'm missing something here. > > Regards, > Vijay > On Tuesday, March 22, 2022 at 8:44:58 PM UTC+5:30 Andrew Ayer wrote: > >> Recently, we've seen several CA incidents related to the failure to >> provide OCSP responses, such as not operating OCSP services for abandoned >> certificate orders <https://bugzilla.mozilla.org/show_bug.cgi?id=1758027 >> >, >> or publishing OCSP responses with lengthy delays >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1758372>. >> >> To smoke out these issues, I've created OCSP Watch, which continuously >> audits a sample of unexpired certificates found in Certificate >> Transparency logs to make sure CAs are correctly operating OCSP >> services. OCSP Watch has identified over 1,000 certificates issued by >> 20 distinct CAs for which the CA is not providing a valid OCSP response. >> >> The list of certificates can be found here: >> >> https://sslmate.com/labs/ocsp_watch/ >> >> OCSP responses are considered valid if the responder returns a response >> within 10 seconds that can be successfully parsed by Go's >> golang.org/x/crypto/ocsp package, and has a status of Good or Revoked. >> >> CAs should examine the above list and file an Incident Report if >> necessary. >> >> Regards, >> Andrew >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/e2dcc1a6-fc7a-4c14-8cd9-5fde8800a94en%40mozilla.org.
