Open Bug 663321 Opened 14 years ago Updated 2 years ago

libpkix: provide an option to control revocation checking of OCSP response signer certificates

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: briansmith, Unassigned)

References

(
URL
)

Details

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Reporter

Description

•

14 years ago

As part of the planned fix for bug 551429 discussed with Alexei, revocation checking of OCSP response signers will be disabled by default in all cases, even when CERT_GetUsePKIXForValidation has been called. However, some applications may want to do revocation checking of OCSP response signer certs, so CERT_PKIXVerifyCert should provide an option for enabling that revocation checking. That option should include the ability to control whether the id-pkix-ocsp-nocheck extension is honored. See http://tools.ietf.org/html/rfc2560#section-4.2.2.2.1

BMO Automation

Updated

•

3 years ago

Severity: normal → S3

Benjamin Beurdouche [:beurdouche]

Updated

•

2 years ago

Severity: S3 → N/A

Priority: -- → P5

You need to log in before you can comment on or make changes to this bug.

Bugzilla

libpkix: provide an option to control revocation checking of OCSP response signer certificates

Categories

(NSS :: Libraries, enhancement, P5)

Tracking

(Not tracked)

People

(Reporter: briansmith, Unassigned)

References

(
URL
)

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated