> As reported inhttps://bugzilla.mozilla.org/show_bug.cgi?id=408949#c27 > this CA uses partitioned CRLs with CRL IDP extensions marked critical. > NSS does not handle partitioned CRLs at this time, and any CRLs with > critical CRL IDP extensions are rejected due to the presence of > unknown critical extensions. At present, this causes no problem > because Firefox and NSS do not automatically fetch CRLs using the > CRL DP extension. But we're working on that, and when we implement > it, it may well cause problems.
Comments #35 and #36 had updates on this: "Exactly, our design of full CRL is inline with your recommendation. Our full CRL (http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL1.crl) does not carry the CIDP extensions." > It is much less likely to cause problems for CAs that are NOT approved > for EV than for CAs that ARE approved for EV, so one relevant question > is: is this CA intended to be approved for EV? This request is not for EV-enablement. > Does this CA also implement OCSP? No -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
