"the OCSP URI in the CA root IS a problem" Nelson, does NSS ever attempt to check the revocation status of a built-in Root Certificate if that Root Certificate contains CRLDP(s) and/or OCSP URI(s) ?
On Sunday 12 October 2008 16:40:11 Eddy Nigg wrote: > Eddy Nigg: > > Except if Nelson thinks otherwise, removing the AIA OCSP service URI > > solves this issue. More specific the Mozilla CA Policy calls for: > > > > cRLDistributionPoints or OCSP authorityInfoAccess extensions for which > > no operational CRL or OCSP service exists. > > > > Therefor the OCSP reference MUST NOT appear in the EE certificates of > > Microsec. I suggest to follow up on this to confirm compliance. > > I think we have a problem here! I wanted to make sure that the CA root > and intermediate CA certificates don't include OCSP AIA extensions and I > noticed the following when importing and examining the CA root... > > - The CA root includes the OCSP service URI in the AIA extension: > OCSP: URI: https://rca.e-szigno.hu/ocsp > - Upon going to https://srv.e-szigno.hu/ I received an > sec_error_unknown_issuer error. Apparently the certificate isn't > installed correctly and doesn't present the certificate chain. > > The later is just an annoyance which can be easily fixed, however the > OCSP URI in the CA root IS a problem. Additionally the intermediate CA > certificate might also feature the AIA extension (which I couldn't test). > > As mentioned earlier, the Mozilla CA Policy states: > > ...might cause technical problems with the operation of our software, > for example, with CAs that issue certificates that have... > > ...cRLDistributionPoints or OCSP authorityInfoAccess extensions for > which no operational CRL or OCSP service exists. > > Micorsec doesn't provide an operational OCSP responder when used in > conjunction with AIA service URI. Over to Frank. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
