Open Bug 1093305 Opened 10 years ago Updated 2 years ago

only accept critical id-pkix-ocsp-nocheck extension in certificates being verified in an OCSP context

Tracking

()

Status:

NEW

People

(Reporter: keeler, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Reporter

Description

•

10 years ago

Bug 1079658 adds "support" for id-pkix-ocsp-nocheck by essentially ignoring it (particularly when marked critical, which would previously cause failures with an unknown critical extension error).

(Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from bug 1079658 comment #4)
> One thing to consider is whether the presence of this extension in a
> non-OCSP context (when requiredEKUIfPrresent != id_kp_OCSPSigning ||
> endEntityOrCA != EndEntityOrCA::EndEntity) should be considered an error.

In this bug, we can explore this possibility and do it if it's a good idea.

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Reporter

Updated

•

8 years ago

Whiteboard: [psm-backlog]

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Reporter

Updated

•

7 years ago

Priority: -- → P3

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

only accept critical id-pkix-ocsp-nocheck extension in certificates being verified in an OCSP context

Categories

(Core :: Security: PSM, defect, P3)

Tracking

()

People

(Reporter: keeler, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated