Closed Bug 973751 Opened 7 years ago Closed 3 years ago

Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: briansmith, Unassigned)

References

()

Details

(Whiteboard: [psm-backlog])

+++ This bug was initially created as a clone of Bug #943815 +++

"This extension indicates that the responder supports the extended
 definition of the "revoked" status to also include non-issued
 certificates according to Section 2.2.

"This extension MUST be included in the OCSP response when that
 response contains a "revoked" status for a non-issued certificate."

When an OCSP response contains this extension, and the certificate status is revoked, we should return a SEC_ERROR_OCSP_UNKNOWN_CERT error instead of a SEC_ERROR_REVOKED_CERTIFICATE error.
Summary: Support the "extended revoked" OCSP status for unknown/mis-issued certificates in insanity::pkix → Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix
Honestly, I think supporting this would implicitly encourage CAs to run flaky OCSP responders (assuming the use-case is "the CA issued a certificate but its responders aren't aware of the certificate yet and so any clients that ask get a 'revoked' response" (and if that's not the use-case, then I don't understand why we would ever do this)).
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.