Re: Debug build
I have one on my local system. Kai Eddy Nigg (StartCom Ltd.) wrote: Has anybody a debug build running somewhere as described at http://wiki.mozilla.org/PSM:EV_Testing ? I'd like to ask for a small favor before tinkering with my own build... ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Debug build
Eddy Nigg (StartCom Ltd.): Hi Kai, Kai Engert: I have one on my local system. Kai Could you make a small test by using the OID 1.3.6.1.4.1.23223.1.1.5 and our root (Sha1 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F )and access the site https://ev.mediahost.org/ for reference? It's not urgent and I can wait a few days for it...just want to make sure that it works as expected with FF3. If possible, can you make a screen shot of the address bar if it works correctly? Thanks a lot! Shit, that wasn't supposed to go to the list, but somebody changed the defaults for replying to the mailing list. Previously only Reply All would have also posted also to the list. Except Kai please ignore! smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
OCSP checking for intermediate and root CAs
During recent testing I suspect that intermediate CA certificates which have an OCSP URI value in the AIA extension aren't looked up at the OCSP server even with the settings to do so (Using FF3). Is this behavior correct? Is it expected and by design? Else? -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: OCSP checking for intermediate and root CAs
Eddy Nigg (StartCom Ltd.): During recent testing I suspect that intermediate CA certificates which have an OCSP URI value in the AIA extension aren't looked up at the OCSP server even with the settings to do so (Using FF3). Is this behavior correct? Is it expected and by design? Else? Correction! It does ping the OCSP server. However there is a different issue I saw in relation with that. For how long is a WRONG OCSP response cached? I visited a site which initially received a wrong response and ever since reports /sec_error_untrusted_cert/ even though when using a different provide or different browser everything is fine, since the error at the OCSP server has been corrected. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: OCSP checking for intermediate and root CAs
Eddy Nigg (StartCom Ltd.): During recent testing I suspect that intermediate CA certificates which have an OCSP URI value in the AIA extension aren't looked up at the OCSP server even with the settings to do so (Using FF3). Is this behavior correct? Is it expected and by design? Else? In all versions of Mozilla browsers shipped to date, OCSP checking is only done for EE (leaf, server) certs, not for CA certs. However, beginning in Firefox 3, for EV certs only, all certs in the chain that have OCSP AIA extensions are checked with OCSP. Correction! It does ping the OCSP server. However there is a different issue I saw in relation with that. For how long is a WRONG OCSP response cached? I visited a site which initially received a wrong response and ever since reports /sec_error_untrusted_cert/ even though when using a different provide or different browser everything is fine, since the error at the OCSP server has been corrected. The OCSP response itself tells how long it should be cached. However, the browser imposes an upper limit on OCSP response cache lifetimes that is ~24 hours, as I recall (might be shorter, but not longer). Also, the OCSP response cache is only in process memory, so restarting the browser empties it. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: OCSP checking for intermediate and root CAs
Nelson B Bolyard: In all versions of Mozilla browsers shipped to date, OCSP checking is only done for EE (leaf, server) certs, not for CA certs. However, beginning in Firefox 3, for EV certs only, all certs in the chain that have OCSP AIA extensions are checked with OCSP. OK, than my observation was about right then... ...and the request for the CA OCSP request which I've seen must have been coming from somewhere else. The OCSP response itself tells how long it should be cached. However, the browser imposes an upper limit on OCSP response cache lifetimes that is ~24 hours, as I recall (might be shorter, but not longer). Also, the OCSP response cache is only in process memory, so restarting the browser empties it. OK, thanks once again Nelson. Going to keep an eye on it how it behaves really. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto