CA/Revocation Reasons: Difference between revisions

CA/Revocation Reasons (view source)

Revision as of 22:11, 18 April 2022

426 bytes added , 18 April 2022

re-drafted OCSP section

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 106: / Line 106: @@
 == OCSP ==
-Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates.
+When processing an [https://datatracker.ietf.org/doc/html/rfc6960#section-2.2 OCSP response], Firefox:
+* Rejects the OCSP response if it contains extensions that are marked critical
+* Does not process any OCSP extensions other than [https://datatracker.ietf.org/doc/html/rfc6962#section-3.3 1.3.6.1.4.1.11129.2.4.5 (SCT list)]
+* Ignores [https://datatracker.ietf.org/doc/html/rfc5280#section-5.3 CRL entry extensions] (if they are not marked critical)
-Section 7.3.2 of the BRs says: ''The singleExtensions of an OCSP response MUST NOT contain the reasonCode (OID 2.5.29.21) CRL entry extension.''
+Mozilla:
+* Expects CAs to follow the [https://cabforum.org/baseline-requirements-documents/ BRs]
+* Does not expect [https://www.mozilla.org/projects/security/certs/policy/ Mozilla Root Store Policy] section 6.1.1, "End-Entity TLS Certificate CRLRevocation Reasons", to also apply to OCSP responses
-The BRs say the following in relation to certificateHold:
+* Does not expect consistency between OCSP and CRL revocation reason codes for a certificate
-* Section 7.2.2: ''the CRLReason MUST NOT be certificateHold''
+* Does not do anything special for an OCSP response indicating certificateHold
-* Section 7.3 (OCSP Profile): ''the CRLReason indicated MUST contain a value permitted for CRLs, as specified in Section 7.2.2.''
 == Banned Revocation Reasons ==