Closed Bug 973751 Opened 7 years ago Closed 3 years ago
Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix
+++ This bug was initially created as a clone of Bug #943815 +++ "This extension indicates that the responder supports the extended definition of the "revoked" status to also include non-issued certificates according to Section 2.2. "This extension MUST be included in the OCSP response when that response contains a "revoked" status for a non-issued certificate." When an OCSP response contains this extension, and the certificate status is revoked, we should return a SEC_ERROR_OCSP_UNKNOWN_CERT error instead of a SEC_ERROR_REVOKED_CERTIFICATE error.
Summary: Support the "extended revoked" OCSP status for unknown/mis-issued certificates in insanity::pkix → Support the "extended revoked" OCSP status for unknown/mis-issued certificates in mozilla::pkix
Honestly, I think supporting this would implicitly encourage CAs to run flaky OCSP responders (assuming the use-case is "the CA issued a certificate but its responders aren't aware of the certificate yet and so any clients that ask get a 'revoked' response" (and if that's not the use-case, then I don't understand why we would ever do this)).
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.