RFC6962-bis: Need to clarify "OCSP extension"

Question

RFC6962-bis: Need to clarify "OCSP extension"

Closed this issue 9 years ago · 2 comments

GoogleCodeExporter commented 9 years ago

RFC6962 Section 3.3 says:
  "...or by using Online Certificate Status
   Protocol (OCSP) Stapling (also known as the "Certificate Status
   Request" TLS extension; see [RFC6066]), where the response includes
   an OCSP extension with OID 1.3.6.1.4.1.11129.2.4.5..."

"OCSP extension" is ambiguous here.  An RFC2560/6960 "Basic" OCSP Response can 
contain status information for 1 or more certificates.  For each certificate, 
there is an optional "singleExtensions" list of extensions.  And at the very 
end of the Response, there is an optional "responseExtensions" list of 
extensions.

Since each SCT relates to precisely one certificate, I think that 
"singleExtensions" is the right place to put the .2.4.5 extension.

To avoid interop issues, could RFC6962-bis clarify this?

(It's very common for an OCSP Response to only include status for 1 
certificate, so some implementers might put the .2.4.5 extension in 
"responseExtensions" without even considering the alternative).

Original issue reported on code.google.com by robst...@gmail.com on 9 Oct 2013 at 2:54

Answer 1 · 2015-04-09T15:27:27.000Z

That seems like a good idea.

Original comment by benl@google.com on 9 Oct 2013 at 2:55

Answer 2 · 2015-04-09T15:27:27.000Z

Clarified in
https://code.google.com/p/certificate-transparency/source/detail?r=2f68eabeefdd8
1dabb2ff6dc58fd006e2b11a4d6

Original comment by ekasper@google.com on 5 Dec 2013 at 3:56

Changed state: Fixed