Open Bug 943651 Opened 8 years ago Updated 7 years ago

Add support for the PreferredSignatureAlgorithms OCSP request extension

Categories

(NSS :: Libraries, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

People

(Reporter: briansmith, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug, )

Details

For compatibility reasons, we have to assume that the OCSP responder that we're sending an OCSP request to can only understand SHA-1 hashes in the OCSP request. RFC 6990 sectoin 4.4.7 defines an OCSP request extension wherein the OCSP request can indicate that the client supports/prefers additional signature algorithms.

As the RFC indicates, the OCSP responder can usually just assume that the client can verify signatures on OCSP responses that are of the same algorithm used to sign the certificate that the OCSP response is for, but this doesn't help the OCSP responder decide what signature algorithm to use for successful Unknown responses.
Depends on: 663315
Summary: Add support for the PreferredSignatureAlgorithms OCSP request extension ( → Add support for the PreferredSignatureAlgorithms OCSP request extension
No longer blocks: 942515
See Also: → 942515
You need to log in before you can comment on or make changes to this bug.