> > Some tests were performed by Paul van Brouwershaven > > https://gist.github.com/vanbroup/84859cd10479ed95c64abe6fcdbdf83d. > > As mentioned, those tests weren’t correct. I’ve provided sample test cases > to several other browser vendors, and heard back or demonstrated that > they’re vulnerable. As are the majority of open-source TLS libraries with > support for OCSP.
Ryan, you made a statement about a bug in Golang, the test case linked by Dimitris was about the follow-up tests I did with certutil and Test-Certificate in powershell. As follow up to Dimitris comments I tested the scenario where a sibling issuing CA [ICA 2] with the OCSP signing EKU (but without digitalSignature KU) under [ROOT] would sign a revoked OCSP response for [ICA] also under [ROOT] https://gist.github.com/vanbroup/84859cd10479ed95c64abe6fcdbdf83d I was actually surprised to see that certutil fails to validate decode the OCSP response in this scenario. But this doesn't say it's not a problem as other responders or versions might accept the response. I will try to perform the same test on Mac in a moment. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy