Jan
14th
Wed
14th
5. Firefox 3 will test the server certificate for revocation status using the OCSP protocol.
- The server certificate must contain an Authority Information Access (AIA) extension that carries an OCSP URI using the HTTP protocol.
- Firefox must be able to complete an OCSP request and response transaction with the given OCSP server. When an OCSP server connection fails, Firefox treats the server certificate as invalid for EV. This is true for the first check for each server certificate in a Firefox session. Firefox uses volatile caching to reduce the number of OCSP transactions performed.
- Firefox must be able to verify the received OCSP response. The response must confirm the server certificate is not revoked.
- OCSP must be enabled in the application, which is the default configuration used by Firefox. The option is called security.ocsp.enabled.
- At this time Firefox will not download CRLs on demand.
6. ??? What about OCSP for the intermediate certificates? Will Firefox 3 require successful OCSP transactions for each intermediate certificate, too? If yes, then each intermediate certificate must have an OCSP AIA. A lack of OCSP AIA would be translated into a “EV verification failure”.
- The server certificate must contain an Authority Information Access (AIA) extension that carries an OCSP URI using the HTTP protocol.
- Firefox must be able to complete an OCSP request and response transaction with the given OCSP server. When an OCSP server connection fails, Firefox treats the server certificate as invalid for EV. This is true for the first check for each server certificate in a Firefox session. Firefox uses volatile caching to reduce the number of OCSP transactions performed.
- Firefox must be able to verify the received OCSP response. The response must confirm the server certificate is not revoked.
- OCSP must be enabled in the application, which is the default configuration used by Firefox. The option is called security.ocsp.enabled.
- At this time Firefox will not download CRLs on demand.
6. ??? What about OCSP for the intermediate certificates? Will Firefox 3 require successful OCSP transactions for each intermediate certificate, too? If yes, then each intermediate certificate must have an OCSP AIA. A lack of OCSP AIA would be translated into a “EV verification failure”.
