Le jeudi 6 mars 2014 22:43:12 UTC+1, Kathleen Wilson a écrit : > Actalis has applied to enable EV treatment for the "Actalis > Authentication Root CA" root certificate that was included in NSS via > bug #520557.
[...] > * EV Policy OID: 1.3.159.1.17.1 > > * Test Website: https://ssltest-a.actalis.it:8443 > > * OCSP > http://portal.actalis.it/VA/AUTH-ROOT > http://ocsp03.actalis.it/VA/AUTH-G2 > OCSP responses have an expiration time of 1 day Your OCSP responders contain the CA certificate that issued the authorized OCSP responder certificate. This is useless because the requester already has it (if it hasn't, it can't create the request). You should strip it to produce smaller responses that are delivered faster to third-parties (you can gain 1 TCP segment). When requesting the OCSP responder to check the subscriber certificate (thus signed by the intermediate), the response contains a self-signed certificate for your intermediate CA, instead of the "root-issued" genuine one. Why? It can make some software reject your responses (even if they shouldn't). The authorized OCSP responders certificates don't contain the mandatory OCSPNoCheck extension (BR 1.1, section 13.2.5). > * Audit: Annual audits are performed by IMQ (http://www.imq.it/) > according to the ETSI TS 102 042 criteria, V2.2.1 with reference to EV > Guidelines v1.3. > http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf > > (2013.10.18) > In the audit statement: "During the Certification Authority audit it was > also verified that the above-mentioned certification services meet the > requirements of the following specification: "Baseline Requirements for > the Issuance and Management of Publicly-Trusted Certificates", v.1.1..." _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy