> I think we have a problem here! I wanted to make sure that the CA root > and intermediate CA certificates don't include OCSP AIA extensions and I > noticed the following when importing and examining the CA root...
In fact, our intermediate CA certificates also included an OCSP AIA extension. As we promised, we have updated the profile of our webserver certificates, so now we do not include an OCSP URL in the AIA field. We have also updated our CA certificate we use for issuing webserver certificates, so now it does not include an OCSP URL either. See https://www.e-szigno.hu as an example. (Now this server also presents the certificate chain.) > - The CA root includes the OCSP service URI in the AIA extension: We accept that it is awkward that our root certificate includes the OCSP AIA extension, it was a bad idea for us to include it. Unfortunately our root certificate is not something we can change on the short run. We don't quite understand why anyone would check the revocation status of a trust anchor via CRL or OCSP. Regards, István _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto