Thanks Curt. Reading between the lines of Ryan's and your response, I'm
thinking that we should specifically ban or limit the scope of "unknown"
responses somewhere - perhaps in the BRs. Otherwise I think RFC 6960 leaves
some room for a CA to argue that they are permitted to use that response in
In the WebPKI ecosystem I have seen a wide range of OCSP responses for OCSP
requests using SHA256 for the issuerNameHash and issuerKeyHash. I have observed
the following types of OCSP responses:
1. “good” response with issuerNameHash and issuerKeyHash using SHA256
2. “good” response with
When Rob Stradling announced the excellent addition of the "inconsistent
Audit details" and Inconsistent CP/CPS Details" sections to the crt.sh
Mozilla CA Certificate Disclosures report [1], we discovered some
inconsistencies between Mozilla's expectations and CCADB policy [2]. To
correct this,
My interpretation is once a precertificate has been signed with the issuing CA
key the corresponding OCSP service should only respond with "good" or
"revoked". In this case an "unknown" response indicates the specific serial
number for the issuing CA has not been assigned which isn’t the case.
4 matches
Mail list logo
