István Zsolt BERTA:
It is conformant IF and only IF the user (not the CA) chooses to trust
that responder. If the CERTIFICATE issued by the issuer says to go to
that responder for OCSP, but the responder's cert is not either
a) the the issuer's cert, or
b) a cert issued by the same issuer as the cert under test,
then it is not conformant. The RFC is very clear about that.
I still disagree. RFC 2560 does allow the responder to be under a
separate root as a 'trusted responder'. Naturally, no responder is
trusted by everyone, there are users who accept a certain responder
and
there are users who do not accept it. I don't think that a responder
is
not conformant according to RFC 2560 just because there are users who
do
not trust it.
I think the point Nelson was making that if the certificate issued to
the users includes an OCSP URI it's not conforming to the RFC.
We shall remove the OCSP URL from the AIA field for webserver
certificates.
Yes
I vote no on this proposal due to OCSP interoperability issues.
I think the removal of the OCSP URL should eliminate this problem.
Except if Nelson thinks otherwise, removing the AIA OCSP service URI
solves this issue. More specific the Mozilla CA Policy calls for:
cRLDistributionPoints or OCSP authorityInfoAccess extensions for which
no operational CRL or OCSP service exists.
Therefor the OCSP reference MUST NOT appear in the EE certificates of
Microsec. I suggest to follow up on this to confirm compliance.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
