SecurityEngineering/mozpkix-testing: Difference between revisions

SecurityEngineering/mozpkix-testing (view source)

550 bytes removed , 23 April 2015

Confirmed users, Administrators

5,526

edits

@@ Line 101: / Line 101: @@
 # OCSP responders should not include a responseExtensions consisting of an empty SEQUENCE (e.g. A2 02 30 00 - see http://tools.ietf.org/html/rfc6960#section-4.2.1 under ResponseData for reference). [http://www.ietf.org/rfc/rfc3280.txt RFC 3280] defines Extensions as SEQUENCE SIZE (1..MAX) OF Extension, so the empty SEQUENCE is not a valid encoding. Instead of using an empty SEQUENCE, the OCSP responder should just omit the responseExtensions in the ResponseData.
 #* Related Bugs: {{Bug|991898}}, {{Bug|997994}}
-# According to RFC 5280: "In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension (Section 4.2.1.1) of certificates issued by the subject of this certificate. Applications are not required to verify that key identifiers match when performing certification path validation." So, in mozilla::pkix we will not be checking this, but we would like to remind CAs that they are supposed to do this.
-#* Related Bugs: {{Bug|991823}}, {{Bug|997917}}
 # OCSP responses for subscriber certificates must have a maximum expiration time of ten days. BR #13.2.2: "For the status of Subscriber Certificates: ... The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days."
 #* Related Bugs: {{Bug|1025625}}, {{Bug|997509}}