Hi Paul, thank you for the clarification, I thought you were talking about subordinates. Regards, El miércoles, 30 de agosto de 2017, 10:58:34 (UTC+2), Paul Kehrer escribió: > Hi David, > > If you use the cert at https://crt.sh/?id=1616324 as issuer (the root > itself) and run this command: > > openssl ocsp -issuer 1616324.crt -serial 101010101010101100001101001101 > -url http://ocsp.izenpe.com -noverify > > You will get back > > This Update: Jun 22 11:06:43 2017 GMT > Next Update: Jun 22 11:06:43 2018 GMT > > Of course, no serverAuth certificates should be issued directly off the > root, but the root is still enabled for that purpose so the responder > should respond UNAUTHORIZED here (UNAUTHORIZED instead of UNKNOWN to allow > the root to stay offline). > > On August 30, 2017 at 4:42:10 PM, David Fernandez via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > Hi Paul, > can you provide what you posted, for example attaching the ocsp response. I > mean if I query for a non-existant certificate, I get the following answer: > > openssl ocsp -no_cert_verify -no_signature_verify -issuer SSLEV_IZENPE.cer > -serial 0x295990755083049101712519384020072382191 -url > http://ocsp.izenpe.com > > Response verify OK > 0x295990755083049101712519384020072382191: revoked > This Update: Aug 30 08:36:05 2017 GMT > Next Update: Sep 1 08:36:05 2017 GMT > Reason: certificateHold > Revocation Time: Jan 1 00:00:00 1970 GMT > _______________________________________________
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy