Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

On Wed, Jul 1, 2020 at 5:05 PM Ryan Sleevi wrote: > While I'll be looking to create Compliance Incidents for the affected CAs, > This is now done, I believe. However, as mentioned, just because a compliance bug was not filed does not mean that a CA may not be affected; it may just be that CT

Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

Ryan Sleevi via dev-security-policy writes: >Section 4.9.9 of the BRs requires that OCSP Delegated Responders MUST include >an id-pkix-ocsp-nocheck extension. RFC 6960 defines an OCSP Delegated >Responder within Section 4.2.2.2 as indicated by the presence of the id-kp- >OCSPSigning as an EKU.

Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

On Wed, Jul 1, 2020 at 11:48 PM Peter Gutmann wrote: > Ryan Sleevi via dev-security-policy > writes: > > >Section 4.9.9 of the BRs requires that OCSP Delegated Responders MUST > include > >an id-pkix-ocsp-nocheck extension. RFC 6960 defines an OCSP Delegated > >Responder within Section 4.2.2.2