Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

responses here to a different question, > because it appears (likely my misinterpretation) from this thread it's OK > to include OCSP-signing into a CA certificate? > > > https://groups.google.com/d/msg/mozilla.dev.security.policy/EzjIkNGfVEE/XSfw4tZPBwAJ > > > > On We

Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

X is also a (misissued) delegated > OCSP signing certificate that is in scope for the BRs and the Mozilla Root > Store Policy. > > -- > *From:* dev-security-policy > on behalf of Peter Mate Erdosi via dev-security-policy < > dev-security-policy@lists.mozilla.org>

Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

Just for my better understanding, is the following CA certificate "TLS-capable"? X509v3 Basic Constraints critical: CA:TRUE X509v3 Key Usage critical: Certificate Sign, CRL Sign X509v3 Extended Key Usage: Time Stamping, OCSP Signing Peter On Thu, Jul 2, 2020 at 12:14 PM Rob Stradling via

Question about the issuance of OCSP Responder Certificates by technically constrained CAs

Dear list, I have a question about the issuance of the OCSP responder certificates in case of technically constrained CAs. I apologize for the long introduction, but this may be an important audit question in the (near) future. --- BEGIN INTRO --- I would like to cite five points from the