在 2015年1月23日星期五 UTC+8上午12:20:38,Erwann Abalea写道: > Le mercredi 7 janvier 2015 22:25:00 UTC+1, Kathleen Wilson a écrit : > > China Financial Certification Authority (CFCA) has applied to include > > the "CFCA EV ROOT" root certificate, turn on the websites trust bit, and > > enable EV treatment. > [...] > > * Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=8356494 > > > > * Test Website: https://pub.cebnet.com.cn > > > > * OCSP > > http://ocsp.cfca.com.cn/ocsp/ > > CPS 4.8.9: The maximum validity period for OCSP response does not exceed > > 7 days. > > Sorry for the delay. > > Getting the CRL issued by "CFCA EV ROOT" shows 2 revoked certificates (serial > numbers 0x844543D3B8 and 0xE6A7F45CF7). > When requesting the OCSP for the status of these serial numbers, the OCSP > responder replies with an "unknown" status.
Erwann, Thanks for your review. We checked the issue you mentioned, it appears that the 2 certificate with SN 0x844543D3B8 and 0xE6A7F45CF7 are OCSP signing certificates we replaced in 2014 in order to conform Baseline Requirement. The problem is resolved by now, OCSP responses for 0x844543D3B8 and 0xE6A7F45CF7 are revoked instead of unknown. Ocsp signing certificates's revoke status in OCSP system use to be offline for EV OCA level. These certificates can't issue any certificates or be used as website certificates. Now we updated the model, once there is any changes take place in EV OCA level, including issuance of new (EV OCA level)certificates and certificates revoke/replace(in EV OCA level) , the database of OCSP service for EV OCA level will update. So this problem won't happen again. In addition, this problem do not affect our current subscriber/user. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
