Closed
Bug 973751
Opened 12 years ago
Closed 8 years ago
Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: briansmith, Unassigned)
References
()
Details
(Whiteboard: [psm-backlog])
+++ This bug was initially created as a clone of Bug #943815 +++
"This extension indicates that the responder supports the extended
definition of the "revoked" status to also include non-issued
certificates according to Section 2.2.
"This extension MUST be included in the OCSP response when that
response contains a "revoked" status for a non-issued certificate."
When an OCSP response contains this extension, and the certificate status is revoked, we should return a SEC_ERROR_OCSP_UNKNOWN_CERT error instead of a SEC_ERROR_REVOKED_CERTIFICATE error.
|
||
Updated•12 years ago
|
Summary: Support the "extended revoked" OCSP status for unknown/mis-issued certificates in insanity::pkix → Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix
|
|
||
Updated•9 years ago
|
Whiteboard: [psm-backlog]
|
|
||
Comment 1•8 years ago
|
||
Honestly, I think supporting this would implicitly encourage CAs to run flaky OCSP responders (assuming the use-case is "the CA issued a certificate but its responders aren't aware of the certificate yet and so any clients that ask get a 'revoked' response" (and if that's not the use-case, then I don't understand why we would ever do this)).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•