Thank you, now i know that Firefox doesnt want to create a request like this.
üdvözlettel/best regards: Varga Viktor rendszerüzemeltetési és vevőszolgálati vezető Netlock Kft. -----Original Message----- From: dev-tech-crypto-bounces+varga_v=netlock...@lists.mozilla.org [mailto:dev-tech-crypto-bounces+varga_v=netlock...@lists.mozilla.org] On Behalf Of Nelson Bolyard Sent: Wednesday, March 11, 2009 10:31 AM To: dev-tech-crypto@lists.mozilla.org Subject: Re: SV: Questions about Potentially Problematic Practices Jean-Marc Desperrier wrote, On 2009-03-10 04:55: > Peter Lind Damkjær wrote: >> Varga Viktor wrote: >>> <snip> >>> OCSP request with multiple certificate from different CA >>> -------------- >>> >>> The RFC has the possibility to send multiple certificate serial number into >>> OCSP request. It is not defined that allowed or not, to put two certificate >>> serial number, from different CA. >>> >>> Request ::= SEQUENCE { >>> reqCert CertID, > > Each CertID in the request contains both the serialNumber *and* the > issuerNameHash. So it's perfectly defined that you can use it to > identify two certificate from different CA. > >>> In the response, there is only one signature field. > > So the signature needs to be from an OCSP responder that's valid for > *both* CA. > > This means, as per "4.2.2.2 Authorized Responders", that this > configuration can only work if the responder matches a local > configuration of OCSP signing authority, and therefore can not simply be > the CA or a certificates that has been delegated the OCSP responder role > with id-ad-ocspSigning. That's exactly right. But this whole discussion may be moot, because Firefox does not presently ever send an OCSP request with multiple serial numbers. Each cert is separately queried. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________________________________ Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________ _______________________________________________________________________ Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
