On 16/03/18 05:17, Jakob Bohm via dev-security-policy wrote:
<snip>
Please see https://crt.sh/?id=353098570&opt=cablint
Note: This is the CT precertificate.
Note 2: According to crt.sh, the OCSP response for this precertificate
is not correct. (error message: "OCSP response contains bad number of
certificates").
The crt.sh feature relies on Go's crypto/ocsp library, which currently
"is just a bit limited and doesn't have support for more complex
responses" [1].
It's not "incorrect" for an OCSP response to contain superfluous CA
certificates. However, it is suboptimal (in terms of bytes on the wire).
[1] https://github.com/golang/go/issues/21527
--
Rob Stradling
Senior Research & Development Scientist
ComodoCA.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy