Frank Hecker wrote: > * OCSP. My understanding is that the Microsec practice of having a > separate root for OCSP is very problematic, particularly given the > inclusion of AIA extensions with OCSP URLs in end entity certificates. > As I understand it, Microsec is removing AIA extensions with OCSP URLs > from end entity certificates and from intermediate CA certificates, and > this should address this problem going forward.
... after some period of time has elapsed. Certainly the day after they begin to issue certs without the OCSP URL in the AIA extension, 99+% of the existing certs will still have those AIA extensions. Over time that number should decline. At what point does it become appropriate to consider the problem to have abated enough to no longer be an issue? Is it when the number of remaining outstanding valid certs that bear that AIA extension is 90%? 50%? 20%? 10%? 5%? 1%? Do we know what the maximum validity period is in the cert they've issued? That would give us a date after which we could be sure it's 0%. > However there still appears to be an open question as to whether having an > AIA extension with OCSP URL in the Microsec root certificate will cause a > problem with NSS. (Nelson wrote that he was going to investigate this, but I > don't recall seeing a followup to this.) Sorry, I did get the answer but forgot to write it up. :-/ Although we haven't tested it with libPKIX, as far as I know, OCSP URLs in root certs will not be a problem for NSS. NSS will never check a self-issued cert for OCSP revocation. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
