RFC6962-bis: Need to clarify "OCSP extension"
Closed this issue · 2 comments
GoogleCodeExporter commented
RFC6962 Section 3.3 says:
"...or by using Online Certificate Status
Protocol (OCSP) Stapling (also known as the "Certificate Status
Request" TLS extension; see [RFC6066]), where the response includes
an OCSP extension with OID 1.3.6.1.4.1.11129.2.4.5..."
"OCSP extension" is ambiguous here. An RFC2560/6960 "Basic" OCSP Response can
contain status information for 1 or more certificates. For each certificate,
there is an optional "singleExtensions" list of extensions. And at the very
end of the Response, there is an optional "responseExtensions" list of
extensions.
Since each SCT relates to precisely one certificate, I think that
"singleExtensions" is the right place to put the .2.4.5 extension.
To avoid interop issues, could RFC6962-bis clarify this?
(It's very common for an OCSP Response to only include status for 1
certificate, so some implementers might put the .2.4.5 extension in
"responseExtensions" without even considering the alternative).
Original issue reported on code.google.com by robst...@gmail.com
on 9 Oct 2013 at 2:54
GoogleCodeExporter commented
That seems like a good idea.
Original comment by benl@google.com
on 9 Oct 2013 at 2:55
GoogleCodeExporter commented
Clarified in
https://code.google.com/p/certificate-transparency/source/detail?r=2f68eabeefdd8
1dabb2ff6dc58fd006e2b11a4d6
Original comment by ekasper@google.com
on 5 Dec 2013 at 3:56
- Changed state: Fixed