Eddy Nigg:
Except if Nelson thinks otherwise, removing the AIA OCSP service URI
solves this issue. More specific the Mozilla CA Policy calls for:
cRLDistributionPoints or OCSP authorityInfoAccess extensions for which
no operational CRL or OCSP service exists.
Therefor the OCSP reference MUST NOT appear in the EE certificates of
Microsec. I suggest to follow up on this to confirm compliance.
I think we have a problem here! I wanted to make sure that the CA root
and intermediate CA certificates don't include OCSP AIA extensions and I
noticed the following when importing and examining the CA root...
- The CA root includes the OCSP service URI in the AIA extension:
OCSP: URI: https://rca.e-szigno.hu/ocsp
- Upon going to https://srv.e-szigno.hu/ I received an
sec_error_unknown_issuer error. Apparently the certificate isn't
installed correctly and doesn't present the certificate chain.
The later is just an annoyance which can be easily fixed, however the
OCSP URI in the CA root IS a problem. Additionally the intermediate CA
certificate might also feature the AIA extension (which I couldn't test).
As mentioned earlier, the Mozilla CA Policy states:
...might cause technical problems with the operation of our software,
for example, with CAs that issue certificates that have...
...cRLDistributionPoints or OCSP authorityInfoAccess extensions for
which no operational CRL or OCSP service exists.
Micorsec doesn't provide an operational OCSP responder when used in
conjunction with AIA service URI. Over to Frank.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
