Re: Microtec CA inclusion request

Sun, 12 Oct 2008 09:20:13 -0700 

Eddy Nigg:



I think we have a problem here! I wanted to make sure that the CA root 
and intermediate CA certificates don't include OCSP AIA extensions and I 
noticed the following when importing and examining the CA root...


- The CA root includes the OCSP service URI in the AIA extension:
  OCSP: URI: https://rca.e-szigno.hu/ocsp

- Upon going to https://srv.e-szigno.hu/ I received an 
sec_error_unknown_issuer error. Apparently the certificate isn't 
installed correctly and doesn't present the certificate chain.



The later is just an annoyance which can be easily fixed, however the 
OCSP URI in the CA root IS a problem. Additionally the intermediate CA 
certificate might also feature the AIA extension (which I couldn't test).


As mentioned earlier, the Mozilla CA Policy states:


...might cause technical problems with the operation of our software, 
for example, with CAs that issue certificates that have...



...cRLDistributionPoints or OCSP authorityInfoAccess extensions for 
which no operational CRL or OCSP service exists.



Micorsec doesn't provide an operational OCSP responder when used in 
conjunction with AIA service URI. Over to Frank.





More followup's on this issue...I found a correctly installed 
certificate at https://rca.e-szigno.hu/ and I could examine also the 
intermediate CA certificate which also features the OCSP AIA extension. 
This means that all certificates from the root up to the EE certificate 
include the AIA extension OCSP URI.



Additionally the OCSP URI is a HTTPS URL which makes it even more 
unusable. How can the OCSP responder be accessed by HTTPS if it can't 
confirm the validity of the connection to the responder itself? IMO this 
is never going to work. OCSP responses are signed and SHOULD NOT be 
served over a secure connection. The only workaround would be to have 
the OCSP HTTPS connection signed by a certificate issued by a different CA.



--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to