Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>Section 4.9.9 of the BRs requires that OCSP Delegated Responders MUST include >an id-pkix-ocsp-nocheck extension. RFC 6960 defines an OCSP Delegated >Responder within Section 4.2.2.2 as indicated by the presence of the id-kp- >OCSPSigning as an EKU. Unless I've misread your message, the problem isn't the presence or not of a nocheck extension but the invalid presence of an OCSP EKU: >I've flagged this as a SECURITY matter [...] the Issuing CA has delegated the >ability to mint arbitrary OCSP responses to this third-party So the problem would be the presence of the OCSP EKU when it shouldn't be there, not the absence of the nocheck extension. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy