> It is conformant IF and only IF the user (not the CA) chooses to trust > that responder. If the CERTIFICATE issued by the issuer says to go to > that responder for OCSP, but the responder's cert is not either > a) the the issuer's cert, or > b) a cert issued by the same issuer as the cert under test, > then it is not conformant. The RFC is very clear about that.
I still disagree. RFC 2560 does allow the responder to be under a separate root as a 'trusted responder'. Naturally, no responder is trusted by everyone, there are users who accept a certain responder and there are users who do not accept it. I don't think that a responder is not conformant according to RFC 2560 just because there are users who do not trust it. > My recommendation for Microsec is to refrain > from including the OCSP service URI if and until they can provide an > OCSP responder which is usable with Firefox and other browsers (when > relying on AIA extension). I agree, our responder is not useful for most Mozilla users. We shall remove the OCSP URL from the AIA field for webserver certificates. > I vote no on this proposal due to OCSP interoperability issues. I think the removal of the OCSP URL should eliminate this problem. Regards, István _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto