Compliance question about OCSP responder certificates

Peter Mate Erdosi

unread,

Jan 16, 2024, 12:45:36 PMJan 16

to dev-secur...@mozilla.org

Dear all,

I found the following, what is your opinion, do these OCSP Responder certificates comply with BRG (especially 7.1.2.8.7 OCSP Responder Key Usage) or not?

https://ntc.pki.gov.pk/repository/cert/NTC_TLS_CA_OCSP_-_2023.cer

https://ntc.pki.gov.pk/repository/cert/NTC_EV_TLS_CA_OCSP_-_2023.cer

Many thanks for any answers!

Best Regards,

Peter

Corey Bonnell

unread,

Jan 16, 2024, 1:02:09 PMJan 16

to Peter Mate Erdosi, dev-secur...@mozilla.org

These certificates were issued prior to September 15^th, 2023, so they do not need to follow the current BRG profile.

If they were issued on or after September 15^th, they would not be in alignment with the BRG OCSP responder certificate profile, as they include the nonRepudiation KU value and certificate policies extension.

Thanks,

Corey

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fc37cbb4-10a1-42cd-be2b-2b8aedcf136an%40mozilla.org.

Peter Mate Erdosi

unread,

Jan 16, 2024, 1:33:23 PMJan 16

to Corey Bonnell, dev-secur...@mozilla.org

Thank you Corey, I found it!

https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/

Best Regards,

Peter

Reply all

Reply to author

Forward