libpkix: provide an option to control revocation checking of OCSP response signer certificates

NEW
Unassigned

Status

--
enhancement
7 years ago
7 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

As part of the planned fix for bug 551429 discussed with Alexei, revocation checking of OCSP response signers will be disabled by default in all cases, even when CERT_GetUsePKIXForValidation has been called. However, some applications may want to do revocation checking of OCSP response signer certs, so CERT_PKIXVerifyCert should provide an option for enabling that revocation checking. That option should include the ability to control whether the id-pkix-ocsp-nocheck extension is honored.

See http://tools.ietf.org/html/rfc2560#section-4.2.2.2.1
You need to log in before you can comment on or make changes to this bug.