On Thu, Mar 19, 2015 at 09:35:20AM +0100, LuxTrust CA wrote:
> Regarding issue #2 : OCSP responds "good" to a non-issued certificate
> (serials FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 00) (BR Section
> 13.2.6) :
> LuxTrust’s OCSP application currently does not support this feature
> (technical limitation). LuxTrust is currently analyzing the possibility of
> an alternative solution / technical improvements.
> Pending a technical alternative, LuxTrust would like to underline that the
> risks raised by the “good” response to a non-issue certificate are mitigated
> by compensatory controls: even if LuxTrust’s OCSP responder provides an
> inadequate “good” response, the certificate will not pass the step of
> validation of the CA information (trust anchor) because the certificate is
> not signed by LuxTrust’s CA
Unless, of course, the certificate *is* signed by an intermediate CA's
private key which chains to the LuxTrust root. That is one of the reasons
for requiring accuracy of OCSP responses -- to demonstrate that you have a
record of every certificate that has been issued. One of the (many)
problems with DigiNotar was that they didn't know what they'd issued. It
would be nice if that didn't happen again.
- Matt
--
I was punching a text message into my phone yesterday and thought, "they need
to make a phone that you can just talk into."
-- Major Thomb
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
