On Fri, Feb 16, 2024 at 09:05:39AM -0800, Suchan Seo wrote: > 1. a CA issues both long life leaf cert with OCSP endpoint and 5 day one > without any OCSP AIA in it, what OCSP reponsder can/should answer for short > life certificate?
By my reading of the BRs (as of v2.0.2, anyway) and the Mozilla root store policy, OCSP responders for short-lived certificates still have to return "good". Does your reading of the relevant documents produce a different interpretation? > 2. Can a intermediate CA run two sharded OCSP responder, splited by last > bit of serial number and fill AIA with currect one? if allowed, can > odd.ocsp.ca.com answer "unused" at all even serial number and not > considered bindingly revorked? Well, an OCSP response that said a particular serial was "unused" (technically it's "unknown", but I presume we're referring to the same thing) wouldn't be considered bindingly revoked, because if an OCSP responder wants to indicate a certificate is revoked, it returns a "revoked" response. However, I very much doubt it would be reasonable to operate OCSP in the way you describe. An OCSP response isn't "bound" to the responder that produced it (you can use separate responder certs, but I don't know of any way to constrain the set of serial numbers that a responder cert is valid for), so an OCSP response that returned "unknown" would still chain to the intermediate that *did* issue that certificate, and that would be... not great. If, for some reason, you wanted to "shard" OCSP responses like that, presumably the correct approach would be to issue from multiple intermediates. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/76b7bf7a-e4df-4f42-beda-a567c3b79c12%40mtasv.net.
