On 16/03/18 10:27, Rob Stradling via dev-security-policy wrote:
On 16/03/18 05:17, Jakob Bohm via dev-security-policy wrote:
<snip>
Please see https://crt.sh/?id=353098570&opt=cablint
Note: This is the CT precertificate.
Note 2: According to crt.sh, the OCSP response for this precertificate
is not correct. (error message: "OCSP response contains bad number of
certificates").
The crt.sh feature relies on Go's crypto/ocsp library, which currently
"is just a bit limited and doesn't have support for more complex
responses" [1].
The Go x/crypto/ocsp library was recently updated. I've just deployed
the update to crt.sh, and as a result https://crt.sh/ocsp-responders no
longer shows any instances of the "bad number of certificates" error.
It's not "incorrect" for an OCSP response to contain superfluous CA
certificates. However, it is suboptimal (in terms of bytes on the wire).
[1] https://github.com/golang/go/issues/21527
--
Rob Stradling
Senior Research & Development Scientist
ComodoCA.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy