I put the following questions on my bug at:
https://bugzilla.mozilla.org/show_bug.cgi?id=480966
There was mentioned to post here.
The first two is mainly technical, the last is affected by the CA policy.
Multiple caIssuers and OCSP in AIA field, multiple CDP:
------------------------
The RFC 5280 doesn't exclude to have multiple OCSP and caIssuers field in the
AIA. It is good for redundancy, for example to have two OCSP responder, when
one of them is down,the other is accessible? Does the Firefox handle it? This
same also implies for CDP.
OCSP request with multiple certificate from different CA
--------------
The RFC has the possibility to send multiple certificate serial number into
OCSP request. It is not defined that allowed or not, to put two certificate
serial number, from different CA.
Request ::= SEQUENCE {
reqCert CertID,
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
In the response, there is only one signature field.
For example:
1. You have three certificate, for easy to imagine, a root, a subordinate CA
and end user.
2. You create an OCSP request of them, included the serial numbers into one
request.
3. You get a response, but has only one signature on it.
What is the acceptable for this?
1. Report error for the multiple request.
2. Sign with one of the OCSP responders?
a. You could have OCSP responder for the Root, Which can tell, Subordinate is
OK
b. You could have OCSP responder for the subordinate, Which can tell, enduser
certificate is OK.
UCC certificate profile
----------------------------
There is the UCC certificate profile, which is needed by the Exchange 2007 to
use with external and internal names. These names are put in the Subject
Alternative Name field of the certificate.
It is possible to these request have FQDN for external, and internal names
without valid FQDN, for internal access. Is this UCC profile in under this
üdvözlettel/best regards:
Varga Viktor
rendszerüzemeltetési és vevőszolgálati vezető
Netlock Kft.
_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs
rendszerrel. Tovabbi informacio: http://www.filtermax.hu
This email has been scanned for viruses and SPAM by the filter:mail MessageLabs
System. More information: http://www.filtermax.hu
________________________________________________________________________________________--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
