SecurityEngineering/mozpkix-testing: Difference between revisions

SecurityEngineering/mozpkix-testing (view source)

499 bytes added , 22 April 2014

Confirmed users, Administrators

5,526

edits

@@ Line 83: / Line 83: @@
 #* RFC 5280 section 4.2.1.9: "CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit."
 #* Related Bugs: {{Bug|982878}}, {{Bug|985021}}, {{Bug|985025}}
+# OCSP responders should not include a responseExtensions consisting of an empty SEQUENCE (e.g. A2 02 30 00 - see http://tools.ietf.org/html/rfc6960#section-4.2.1 under ResponseData for reference). [http://www.ietf.org/rfc/rfc3280.txt RFC 3280] defines Extensions as SEQUENCE SIZE (1..MAX) OF Extension, so the empty SEQUENCE is not a valid encoding. Instead of using an empty SEQUENCE, the OCSP responder should just omit the responseExtensions in the ResponseData.
+#* Related Bugs: {{Bug|991898}}
 # According to RFC 5280: "In conforming CA certificates, the value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension (Section 4.2.1.1) of certificates issued by the subject of this certificate. Applications are not required to verify that key identifiers match when performing certification path validation." So, in mozilla::pkix we will not be checking this, but we would like to remind CAs that they are supposed to do this.
 #* Related Bugs: {{Bug|991823}}, {{Bug|997917}}