On Monday 13 October 2008 15:36:02 István Zsolt BERTA wrote: <snip> > > - The CA root includes the OCSP service URI in the AIA extension: > > We accept that it is awkward that our root certificate includes the > OCSP AIA extension, it was a bad idea for us to include it. > Unfortunately our root certificate is not something we can change on > the short run.
István, Just a thought... If Nelson's investigation does find that the OCSP AIA extension in your Root Certificate is a problem for NSS, is there really anything to stop you from issuing a new Root Certificate? This new Root Certificate could be identical to your current Root Certificate except for i) different serial number, and ii) OCSP AIA removed. As the old and new Root Certificates would have the same Subject Name and Key, they would effectively be interchangeable. > We don't quite understand why anyone would check the revocation status > of a trust anchor via CRL or OCSP. > > Regards, > > István > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
