Today, when using libpkix verification, combined with strict OCSP, visit https://www.dhl.de and you get a "revoked cert" error page. After the usual nightmare to trace through the libpkix code, I identified the cause is: The OCSP server returns SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST for the intermediate CA with subject name "CN=DPWN Root CA R2 PS,OU=IT Services,O=Deutsche Post World Net,DC=com". Currently the detailed error code for our revocation checking failure is lost. For example, pkix_OcspChecker_CheckExternal will set the revocation status to "revoked", and the detailed error code is lost. In my opinion, we might have a difficult time to lobby for strict OCSP checking, as long as diagnosing OCSP failures is difficult. We should enhance NSS to return this information. For example, after pkix_CheckChain called PKIX_RevocationChecker_Check, detects the "revoked" status, and creates an error object, the original error code should be added. (I realize that NSS already creates an error log entry that points to the affected intermediate cert, so the application COULD already report exactly which cert triggered the failure... I will file a separate bug to propose to do that.)
I think in the strict mode, we should report the original error (such as SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST) instead of SEC_ERROR_REVOKED_CERTIFICATE. It is inaccurate to report a certificate is revoked when we cannot check the revocation status. Reporting the original error will also fix this bug.
You need to log in before you can comment on or make changes to this bug.