Confirmed users, Administrators
5,526
edits
CA/OCSP-TrustedResponder: Difference between revisions
m
→Details
m (→Details) |
m (→Details) |
||
| Line 19: | Line 19: | ||
Firefox's OCSP configuration DOES permit the user to configure it with a URL of an OCSP responder to which Firefox will then send ALL of its OCSP requests. When such a configuration is made, the user must also tell it which certificate to use to verify all the OCSP responses from that responder. The certificate must have previously been imported. Presently, the cert must be marked as a trusted issuer, or it will not appear in Firefox's certificate selection UI. This is a bug in the certificate selection UI. | Firefox's OCSP configuration DOES permit the user to configure it with a URL of an OCSP responder to which Firefox will then send ALL of its OCSP requests. When such a configuration is made, the user must also tell it which certificate to use to verify all the OCSP responses from that responder. The certificate must have previously been imported. Presently, the cert must be marked as a trusted issuer, or it will not appear in Firefox's certificate selection UI. This is a bug in the certificate selection UI. | ||
A common misunderstanding occurs when a CA interprets the standard as allowing the relying party to configure his software with an OCSP responder certificate to be associated with a particular OCSP responder, but then the relying party software will continue to send OCSP requests to the responder named in the certificate in the normal fashion, and when the response is received, the software will check it against the configured responder certificate. | |||
As a result of this misunderstanding, public CAs (typically for small countries) set up their own OCSP responder and expect the user to configure his browser to use their responder as his trusted OCSP responder. That is possible, but if done, the user will be sending ALL of his OCSP requests to that responder, and we have not yet seen ANY public CA's OCSP responder that is willing and able to act as a proxy responder for other CAs' certificates. | |||
So, in practice, trusted responder mode only works for users who are only going to visit web sites that get get their certificates from one CA - in other words, only in the small closed environment where all the certs come from that one CA. Such an environment may exist in corporations or governments, but not in the homes of the average Mozilla browser user. | So, in practice, trusted responder mode only works for users who are only going to visit web sites that get get their certificates from one CA - in other words, only in the small closed environment where all the certs come from that one CA. Such an environment may exist in corporations or governments, but not in the homes of the average Mozilla browser user. | ||