On Fri, 17 Apr 2020 18:34:00 +0100
Neil Dunbar via dev-security-policy
wrote:
> timestamp checking etc, etc]. Ryan's writeup calls out the revoked
> situation under the heading of 'make sure it is something the client
> will accept' - if the client understands OCSP responses at all, it
> needs to understand revoked, surely?
I'm sure the client does understand revoked, but it won't (and
certainly shouldn't) _accept_ it, hence Ryan's choice of language.
Clients also understand expired OCSP certificates, and they don't accept
those either.
> Because it places you (a good actor) in compliance with your
> subscriber agreement? Just as an example, some text in a few commonly
> used CA Subscriber Agreements have subscriber obligations like "cease
> all use of the Certificate and its Private Key upon expiration or
> revocation of the Certificate" or "Subscriber shall promptly cease
> using a Certificate and its associated Private Key" (under the
> section for revocation). Presumably failure to adhere to that
> agreement could place you in some contractual jeopardy?
What does "contractual jeopardy" mean here?
I guess a CA representative might chime in here to tell us if they've
sued any subscribers for not treating OCSP responses as a legal notice
that they must desist using a Private Key ? My firm guess would be "No,
this has never happened".
In fact do any CA representatives want to stand up and tell us they
regard OCSP responses as legally binding declarations by their CA
which are immune to ordinary mistakes?
Nick.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
