Closed
Bug 692992
Opened 13 years ago
Closed 11 years ago
OCSP "UNKNOWN" responses should be treated as failures
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 745747
People
(Reporter: aerowolf, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Build ID: 20110902133214 Steps to reproduce: (I'm not sure if this is NSS or PSM) Expected results: OCSP "UNKNOWN" responses are a statement from non-authoritative OCSP servers that they don't know the revocation status, and that the original issuer should be consulted. OCSP "UNKNOWN" from the authoritative issuer is an error: it states that the CA doesn't know if it ever even issued the certificate, much less if it's valid. As we have seen with the DigiNotar incident, it is sometimes possible to issue certificates without keeping the records around, preventing standard revocation mechanisms from working. If the originating CA doesn't know whether it's valid or not, it probably shouldn't be part of Mozilla's trust list.
Comment 1•12 years ago
|
||
If you flip the strict OCSP checking pref then UNKNOWN responses are treated as failures. We'd sort of get this for free when we make that the default, but since we're a long ways from being able to do that (need to build a caching system to compensate for the flaky reality of today's OCSP infrastructure) this is still a valid request.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Daniel Veditz [:dveditz] from comment #1) > If you flip the strict OCSP checking pref then UNKNOWN responses are treated > as failures. As it turns out, they are already treated as failures irrespective of the value of the security.OCSP.require pref. Duplicating to bug 745747 which, though filed later, has more information.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•