> Policy-wise, apparently it's OK for a certificate to be both a CA > certificate and > a (correctly issued!) delegated OCSP signing certificate, which is I think > what > Ryan's earlier post was talking about. So if the affected CAs could go back > in > time and add the id-pkix-ocsp-nocheck extension to these certificates then > those certificates arguably wouldn't have been misissued(*).
Wouldn't adding the nocheck extension make the subCA certificate irrevocable, thus in the case of a subCA certificate with serverAuth and ocspSigning EKUs, violate the spirit (and maybe the wording?) of sections 4.9.7 and 4.9.10 of the BRs, which mandate the availability of revocation services for the subCA certificate? Thanks, Corey
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy