Closed
Bug 973751
Opened 10 years ago
Closed 7 years ago
Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: briansmith, Unassigned)
References
()
Details
(Whiteboard: [psm-backlog])
+++ This bug was initially created as a clone of Bug #943815 +++ "This extension indicates that the responder supports the extended definition of the "revoked" status to also include non-issued certificates according to Section 2.2. "This extension MUST be included in the OCSP response when that response contains a "revoked" status for a non-issued certificate." When an OCSP response contains this extension, and the certificate status is revoked, we should return a SEC_ERROR_OCSP_UNKNOWN_CERT error instead of a SEC_ERROR_REVOKED_CERTIFICATE error.
Updated•10 years ago
|
Summary: Support the "extended revoked" OCSP status for unknown/mis-issued certificates in insanity::pkix → Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix
Whiteboard: [psm-backlog]
Honestly, I think supporting this would implicitly encourage CAs to run flaky OCSP responders (assuming the use-case is "the CA issued a certificate but its responders aren't aware of the certificate yet and so any clients that ask get a 'revoked' response" (and if that's not the use-case, then I don't understand why we would ever do this)).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•