Todd Denniston wrote:
In this certificate there is a section "Authority Information Access" which contains a OCSP URI definition, pkcs11_vfy is faulting on what it finds there. The URI (shouldn't that be URL?) that is on mine is a disa.mil host, which eventually times out when I try to have firefox or lynx look at it, so vfy may just not be able to get a response, or it is improperly defined.
It's properly defined. You're behind a proxy. NSS now supports proxies but I'm unsure how to config this in FC6. In Firefox 2 NSS obeys the Firefox proxy settings so OCSP works fine (assuming you have the DoD OCSP signing certificate installed). I'm unsure whether this made it into Thunderbird 1.5 or if it's waiting for 2.0.
I say _mine_ has a OCSP URI definition because it seems that the more of these CAC certs I look at (before importing into thunderbird), the more I notice that the "Authority Information Access" and "X509v3 CRL Distribution Points" seem to be inconsistently applied, like the operator creating the badge gets to choose/enter the information and some of them do it and others don't.
OCSP URIs were added to the profile when DoD Root CA 2 was stood up. Certs that chain to the original root (DoD CLASS 3 Root CA) have no OCSP URI.
-- Tim
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
