Nelson B Bolyard wrote: > Frank Hecker wrote, On 2008-10-17 06:57: > >> Please refresh my memory here: As I understand it, the basic problem was >> that if the Microsec root were included in Firefox (or other products) >> and a user surfed to an SSL/TLS-enabled site with an end entity >> certificate issued by Microsec (a cert with the AIA extension with the >> OCSP URL), then this would cause an error in Firefox 3, because Firefox >> 3 does OCSP checking by default and it would get what it considered to >> be a bad OCSP response. Do I have this right? > > Yes. Bad response, ugly errors, no fun.
With the default settings in Firefox 3, it isn't that bad... remember that it's the "graceful failure" mode which is selected by default: > 1056 PRBool ocspRequired; > 1057 pref->GetBoolPref("security.OCSP.require", &ocspRequired); > 1058 if (ocspRequired) { > 1059 CERT_SetOCSPFailureMode(ocspMode_FailureIsVerificationFailure); > 1060 } > 1061 else { > 1062 CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure); > 1063 } > 1064 } [http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSComponent.cpp&rev=1.167&mark=1056-1063#1056] And in Firefox 2, OCSP is disabled by default anyway. Frank Hecker wrote: > What I'd like to see from Microsec is a plan to first address > fixing certificates for SSL/TLS web sites (to prevent problems with > Firefox 3) After a closer look, I think that the "Microsec OCSP issue" isn't really one, at least for the foreseeable future. Looking at the OCSP URIs in the chain served by https://rca.e-szigno.hu e.g., we see this list: Method: PKIX Online Certificate Status Protocol Location: URI: "https://srv.e-szigno.hu/ocsp" Method: PKIX Online Certificate Status Protocol Location: URI: "https://arca.e-szigno.hu/aocsp" Method: PKIX Online Certificate Status Protocol Location: URI: "https://rca.e-szigno.hu/ocsp" I.e., unless bugs 205436 or 92923 are worked on soon, using https OCSP URIs will quite effectively prevent Mozilla clients from connecting to this responder :-) [1] István, maybe you can confirm that in all the certs issued so far you've only used https OCSP URIs? Kaspar [1] for NSS, cf. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certhigh/ocsp.c&rev=1.55&mark=2741-2746#2741 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto