Open Bug 943651 Opened 8 years ago Updated 7 years ago
Add support for the Preferred
Signature Algorithms OCSP request extension
For compatibility reasons, we have to assume that the OCSP responder that we're sending an OCSP request to can only understand SHA-1 hashes in the OCSP request. RFC 6990 sectoin 4.4.7 defines an OCSP request extension wherein the OCSP request can indicate that the client supports/prefers additional signature algorithms. As the RFC indicates, the OCSP responder can usually just assume that the client can verify signatures on OCSP responses that are of the same algorithm used to sign the certificate that the OCSP response is for, but this doesn't help the OCSP responder decide what signature algorithm to use for successful Unknown responses.
Depends on: 663315
Summary: Add support for the PreferredSignatureAlgorithms OCSP request extension ( → Add support for the PreferredSignatureAlgorithms OCSP request extension
You need to log in before you can comment on or make changes to this bug.