It was at some point common to require digitalSignature. Many years ago when we developed support for OCSP in EJBCA, Mozilla browsers would not accept OCSP responses with only keyCertSign and crlSign. DigitalSignature was needed as well. So at least it was common behaviour some years ago.
I don't know if FireFox ha changed that, I guess so as it seems unlikely Comodo would not work with FireFox.
RFC2560 does not specify anything about key usage, so my guess is that the CABForum has determined what browsers and public CAs should/could use.
Will try without digitalSignature in FireFox now :-) Cheers, Tomas On 05/29/2013 04:55 PM, Matthew Hall wrote:
Comodo used the root cert to sign the responses, which the RFC allows. I think Java is getting carried away with strictness on this.
