Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
TWCA Request to include Renewed Root
524 views
Skip to first unread message
Kathleen Wilson
Jun 21, 2013, 2:26:13 PM6/21/13
to mozilla-dev-s...@lists.mozilla.org
TWCA has applied to include the “TWCA Global Root CA” root certificate,
turn on all three trust bits, and enable EV treatment. This SHA-256 root
will eventually replace the SHA-1 “TWCA Root Certification Authority”
root certificate that was included in NSS per bug #518503.
Taiwan CA. Inc. (TWCA) is a commercial CA that provides a consolidated
on-line financial security certificate service and a sound financial
security environment, to ensure the security of on-line finance and
electronic commercial trade in Taiwan. Taiwan-CA INC. (TWCA) is a
joint-venture company formed by Taiwan Stock Exchange Corporation
(TWSE), Taiwan Depository and Clearing Corporation (TDCC) Financial
Information Service Corporation (FISC), and HiTrust Inc (HiTrust).
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=810133
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#TWCA
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=756257
Noteworthy points:
* The primary documents are the CP and CPS documents, which are
translated into English.
Repository (English):
http://www.twca.com.tw/Portal/english/coporate_profile/Repository.html
On this page there are links to CPS, CP, Root CA CPS, EV SSL CPS, and
Global CA CPS.
Eventually this SHA-256 root will have internally-operated subordinate
CAs corresponding to the “TWCA Root Certification Authority” root
certificate:
1. CN=TaiCA Secure CA, OU=SSL Certification Service Provider -- Issues
SSL certificates.
2. CN=TaiCA Secure CA, OU=Certification Service Provider – Issues
identity certificates for on-line commerce transactions, such as the
stock trading, or email.
3. CN=TaiCA Information Policy CA; CN=TaiCA Information User CA – Issue
identity certificates for on-line taxation, e-Government or e-Commerce
transactions.
4. CN=TaiCA Finance CA; CN=TaiCA Finance User CA – Issue identity
certificates for on-line fund transfer, e-Finance or e-Banking
transactions.
5. CN = TWCA EVSSL Certification Authority -- Issues EV SSL certs.
This request is to turn on all three trust bits and enable EV treatment.
* Global CA CPS section 1.4.1: Procedure for Identifying Server Hostname
and IP Address
(A) Private organizations: This CA verifies if the Internet domain name
or IP address initially registered for the sever hostname by private
organizations is actually managed and used by respective private
organizations in accordance with the database or documents of the
management unit of Internet domain name or IP address.
(B) Public organizations: This CA verifies if the Internet domain name
or IP address that used by the initially registered server hostname
exists, and if the name of user is the same as the signature of the
above public organization after verification in accordance with the
public directory service or the database or documents of the management
unit of Internet domain name or IP address.
* EV CPS Executive Summary: This CA operates according to Assurance
Level 4 specified in the TWCA PKI CP and issues Class 3 certificates
specified in the CP to EV SSL certificate subscribers
** EV CPS Section 3.2.2.1: When authenticating the identity of an
organization, documents issued by the competent authorities or other
documents proven the existence of such organization shall be verified.
Also, the identity of its statutory representative shall be
authenticated. Application documents and identity documents can be
delivered either over the counter or by mail.
In addition to verifying the documents submitted by subscribers,
information shall be verified according to the identity identification
and authentication requirements specified in the EV SSL Guidelines. At
least the following actions shall be taken to verify the identity of an
organization: …
** EV CPS section 3.2.2.2 Internet Host Authentication Procedure
(1) Private organizations: To validate in the database of the
administration unit of public Internet domain name that the domain name
used by the Internet host name provided by a private organization in the
initial registration is managed and used by that private organization.
(2) Public organizations: To validate the domain name of public
organizations at the government’s public directory service and verify
that the domain name used by the Internet host name provided in the
initial registration exists, and the name of the user unit is identical
to the public organization validated in 3.2.2.1.
* S/MIME certificates are issued under assurance level class 1, 2, or 3.
TWCA verifies the identity and PIN of the subscriber, verifies the
domain name ownership of the email address to be listed in the
certificate, and exchanges email with the subscriber to confirm the
application request. This is documented in sections 2.2.1.1 and 5.1 of
the CPS.
** Global CA CPS section 1.4.1:
*** Class 1: This CA or the RA conducts limited verification of the
subscriber’s name (e.g. the name of an individual or the registered name
or universal resource location (URL) of an organization) and e-mail data
with a simple procedure. … This CA and RA assure only the uniqueness of
the name and e-mail data of subscribers in the database of this CA, and
all other information related to subscribers is considered as unverified.
*** Global CA CPS section 4.1.2: After verifying the identity and
supporting documents according to the SOP for identity authentication of
different levels of assurance, RA should set the personal identification
number (PIN) and protection password of subscribers to complete the
subscriber registration.
*** Global CA CPS section 4.3.1:
(1) Subscribers must pass at least the PIN and password check and
verification. After logging on to RA, subscribers should sign the
certificate application information with the subscriber private key
before delivering it to RA.
(2) After verifying the PIN and password of subscribers and checking the
integrity of the certificate application information, RA should sign the
certificate application information of subscribers with the RA private
key if no error is found
* Global CA CPS Executive Summary: Only InfoSec Certificates of Level of
Assurance Class 3 can be used for code signing.
** Global CA CPS section 1.4.1 regarding InfoSec Certs of Class 3:
A. Method of Identity Authentication:
Apart from checking the information of Class 2 certificates, subscribers
shall personally apply for the registration. An organization (juristic
person) may apply for registration through an agent holding valid
authorization documents and documents that can identify his/her
identity. When organizations can provide identity documents that can
verify their organization status and such documents have been confirmed
by the RA, they may apply for registration by e-mail, by fax, or by
electronic document containing an electronic signature.
* EV Policy OID 1.3.6.1.4.1.40869.1.1.22.3
* Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=679898
* Test Website: https://evssldemo3.twca.com.tw/index.html
* CRL
http://RootCA.twca.com.tw/TWCARCA/global_revoke_4096.crl
http://sslserver.twca.com.tw/sslserver/GlobalEVSSL_Revoke_2012.crl
CPS section 5.4.9: CRL issuance frequency shall be 24 hours.
* OCSP
http://RootOcsp.twca.com.tw/
http://evsslocsp.twca.com.tw
* Audit: Annual audits are performed by SunRise CPAs’ Firm, a member
firm of DFK, according to the WebTrust CA and WebTrust EV criteria and
posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1322
https://cert.webtrust.org/ViewSeal?id=1323
* Potentially Problematic Practices – None noted
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from TWCA to include the “TWCA
Global Root CA” root certificate, turn on all three trust bits, and
enable EV treatment. At the conclusion of this discussion I will provide
a summary of issues noted and action items. If there are outstanding
issues, then an additional discussion may be needed as follow-up. If
there are no outstanding issues, then I will recommend approval of this
request in the bug.
Kathleen
turn on all three trust bits, and enable EV treatment. This SHA-256 root
will eventually replace the SHA-1 “TWCA Root Certification Authority”
root certificate that was included in NSS per bug #518503.
Taiwan CA. Inc. (TWCA) is a commercial CA that provides a consolidated
on-line financial security certificate service and a sound financial
security environment, to ensure the security of on-line finance and
electronic commercial trade in Taiwan. Taiwan-CA INC. (TWCA) is a
joint-venture company formed by Taiwan Stock Exchange Corporation
(TWSE), Taiwan Depository and Clearing Corporation (TDCC) Financial
Information Service Corporation (FISC), and HiTrust Inc (HiTrust).
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=810133
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#TWCA
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=756257
Noteworthy points:
* The primary documents are the CP and CPS documents, which are
translated into English.
Repository (English):
http://www.twca.com.tw/Portal/english/coporate_profile/Repository.html
On this page there are links to CPS, CP, Root CA CPS, EV SSL CPS, and
Global CA CPS.
Eventually this SHA-256 root will have internally-operated subordinate
CAs corresponding to the “TWCA Root Certification Authority” root
certificate:
1. CN=TaiCA Secure CA, OU=SSL Certification Service Provider -- Issues
SSL certificates.
2. CN=TaiCA Secure CA, OU=Certification Service Provider – Issues
identity certificates for on-line commerce transactions, such as the
stock trading, or email.
3. CN=TaiCA Information Policy CA; CN=TaiCA Information User CA – Issue
identity certificates for on-line taxation, e-Government or e-Commerce
transactions.
4. CN=TaiCA Finance CA; CN=TaiCA Finance User CA – Issue identity
certificates for on-line fund transfer, e-Finance or e-Banking
transactions.
5. CN = TWCA EVSSL Certification Authority -- Issues EV SSL certs.
This request is to turn on all three trust bits and enable EV treatment.
* Global CA CPS section 1.4.1: Procedure for Identifying Server Hostname
and IP Address
(A) Private organizations: This CA verifies if the Internet domain name
or IP address initially registered for the sever hostname by private
organizations is actually managed and used by respective private
organizations in accordance with the database or documents of the
management unit of Internet domain name or IP address.
(B) Public organizations: This CA verifies if the Internet domain name
or IP address that used by the initially registered server hostname
exists, and if the name of user is the same as the signature of the
above public organization after verification in accordance with the
public directory service or the database or documents of the management
unit of Internet domain name or IP address.
* EV CPS Executive Summary: This CA operates according to Assurance
Level 4 specified in the TWCA PKI CP and issues Class 3 certificates
specified in the CP to EV SSL certificate subscribers
** EV CPS Section 3.2.2.1: When authenticating the identity of an
organization, documents issued by the competent authorities or other
documents proven the existence of such organization shall be verified.
Also, the identity of its statutory representative shall be
authenticated. Application documents and identity documents can be
delivered either over the counter or by mail.
In addition to verifying the documents submitted by subscribers,
information shall be verified according to the identity identification
and authentication requirements specified in the EV SSL Guidelines. At
least the following actions shall be taken to verify the identity of an
organization: …
** EV CPS section 3.2.2.2 Internet Host Authentication Procedure
(1) Private organizations: To validate in the database of the
administration unit of public Internet domain name that the domain name
used by the Internet host name provided by a private organization in the
initial registration is managed and used by that private organization.
(2) Public organizations: To validate the domain name of public
organizations at the government’s public directory service and verify
that the domain name used by the Internet host name provided in the
initial registration exists, and the name of the user unit is identical
to the public organization validated in 3.2.2.1.
* S/MIME certificates are issued under assurance level class 1, 2, or 3.
TWCA verifies the identity and PIN of the subscriber, verifies the
domain name ownership of the email address to be listed in the
certificate, and exchanges email with the subscriber to confirm the
application request. This is documented in sections 2.2.1.1 and 5.1 of
the CPS.
** Global CA CPS section 1.4.1:
*** Class 1: This CA or the RA conducts limited verification of the
subscriber’s name (e.g. the name of an individual or the registered name
or universal resource location (URL) of an organization) and e-mail data
with a simple procedure. … This CA and RA assure only the uniqueness of
the name and e-mail data of subscribers in the database of this CA, and
all other information related to subscribers is considered as unverified.
*** Global CA CPS section 4.1.2: After verifying the identity and
supporting documents according to the SOP for identity authentication of
different levels of assurance, RA should set the personal identification
number (PIN) and protection password of subscribers to complete the
subscriber registration.
*** Global CA CPS section 4.3.1:
(1) Subscribers must pass at least the PIN and password check and
verification. After logging on to RA, subscribers should sign the
certificate application information with the subscriber private key
before delivering it to RA.
(2) After verifying the PIN and password of subscribers and checking the
integrity of the certificate application information, RA should sign the
certificate application information of subscribers with the RA private
key if no error is found
* Global CA CPS Executive Summary: Only InfoSec Certificates of Level of
Assurance Class 3 can be used for code signing.
** Global CA CPS section 1.4.1 regarding InfoSec Certs of Class 3:
A. Method of Identity Authentication:
Apart from checking the information of Class 2 certificates, subscribers
shall personally apply for the registration. An organization (juristic
person) may apply for registration through an agent holding valid
authorization documents and documents that can identify his/her
identity. When organizations can provide identity documents that can
verify their organization status and such documents have been confirmed
by the RA, they may apply for registration by e-mail, by fax, or by
electronic document containing an electronic signature.
* EV Policy OID 1.3.6.1.4.1.40869.1.1.22.3
* Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=679898
* Test Website: https://evssldemo3.twca.com.tw/index.html
* CRL
http://RootCA.twca.com.tw/TWCARCA/global_revoke_4096.crl
http://sslserver.twca.com.tw/sslserver/GlobalEVSSL_Revoke_2012.crl
CPS section 5.4.9: CRL issuance frequency shall be 24 hours.
* OCSP
http://RootOcsp.twca.com.tw/
http://evsslocsp.twca.com.tw
* Audit: Annual audits are performed by SunRise CPAs’ Firm, a member
firm of DFK, according to the WebTrust CA and WebTrust EV criteria and
posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1322
https://cert.webtrust.org/ViewSeal?id=1323
* Potentially Problematic Practices – None noted
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from TWCA to include the “TWCA
Global Root CA” root certificate, turn on all three trust bits, and
enable EV treatment. At the conclusion of this discussion I will provide
a summary of issues noted and action items. If there are outstanding
issues, then an additional discussion may be needed as follow-up. If
there are no outstanding issues, then I will recommend approval of this
request in the bug.
Kathleen
Kathleen Wilson
Jul 22, 2013, 6:58:23 PM7/22/13
to mozilla-dev-s...@lists.mozilla.org
If not, I'll close it and recommend approval in the bug.
Thanks,
Kathleen
Erwann Abalea
Jul 23, 2013, 1:01:41 PM7/23/13
to
Le vendredi 21 juin 2013 20:26:13 UTC+2, Kathleen Wilson a écrit :
> TWCA has applied to include the “TWCA Global Root CA” root certificate,
> turn on all three trust bits, and enable EV treatment. This SHA-256 root
> will eventually replace the SHA-1 “TWCA Root Certification Authority”
> root certificate that was included in NSS per bug #518503.
[...]
> TWCA has applied to include the “TWCA Global Root CA” root certificate,
> turn on all three trust bits, and enable EV treatment. This SHA-256 root
> will eventually replace the SHA-1 “TWCA Root Certification Authority”
> root certificate that was included in NSS per bug #518503.
Those 2 responders reject a GET request with a "malformedRequest" error.
Robin Lin
Jul 24, 2013, 9:08:20 PM7/24/13
to
Erwann Abalea於 2013年7月24日星期三UTC+8上午1時01分41秒寫道:
Hi,
We tested OCSP with HTTP GET using different clients(Opera, Chrome, wget) and found no problem. The problem has been resolved.
The access log are as follow:
88.191.118.43|4001 |2013-07-24 00:48:54|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|273|204|Wget/1.12 (linux-gnu)
88.191.118.43|0 |2013-07-24 00:49:05|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|271|204|Wget/1.12 (linux-gnu)
88.191.118.43|5000 |2013-07-24 00:59:27|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|273|204|Wget/1.12 (linux-gnu)
192.168.0.181|0 |2013-07-24 08:53:31|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRu8r8O84I+gJwXImcg9VB945olIgQUuSwJtTQq+f5cDf1vdovVkhrkYVYCEEABMwYqAAZPLJj2443EZYw=|200|239|1855|Microsoft-CryptoAPI/6.1
192.168.0.181|0 |2013-07-24 08:55:03|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|469|1886|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.12
192.168.0.181|0 |2013-07-24 08:55:03|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRu8r8O84I+gJwXImcg9VB945olIgQUuSwJtTQq+f5cDf1vdovVkhrkYVYCEEABMwYqAAZPLJj2443EZYw=|200|473|1855|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.12
192.168.0.204|15625|2013-07-24 09:53:31|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|221|1886|Wget/1.11.4
192.168.0.181|0 |2013-07-24 09:56:41|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|469|1886|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.16
192.168.0.181|3001 |2013-07-24 09:56:41|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRu8r8O84I+gJwXImcg9VB945olIgQUuSwJtTQq+f5cDf1vdovVkhrkYVYCEEABMwYqAAZPLJj2443EZYw=|200|473|1855|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.16
Please verify this issue again.
Robin
We tested OCSP with HTTP GET using different clients(Opera, Chrome, wget) and found no problem. The problem has been resolved.
The access log are as follow:
88.191.118.43|4001 |2013-07-24 00:48:54|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|273|204|Wget/1.12 (linux-gnu)
88.191.118.43|0 |2013-07-24 00:49:05|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|271|204|Wget/1.12 (linux-gnu)
88.191.118.43|5000 |2013-07-24 00:59:27|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|273|204|Wget/1.12 (linux-gnu)
192.168.0.181|0 |2013-07-24 08:53:31|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRu8r8O84I+gJwXImcg9VB945olIgQUuSwJtTQq+f5cDf1vdovVkhrkYVYCEEABMwYqAAZPLJj2443EZYw=|200|239|1855|Microsoft-CryptoAPI/6.1
192.168.0.181|0 |2013-07-24 08:55:03|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|469|1886|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.12
192.168.0.181|0 |2013-07-24 08:55:03|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRu8r8O84I+gJwXImcg9VB945olIgQUuSwJtTQq+f5cDf1vdovVkhrkYVYCEEABMwYqAAZPLJj2443EZYw=|200|473|1855|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.12
192.168.0.204|15625|2013-07-24 09:53:31|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|221|1886|Wget/1.11.4
192.168.0.181|0 |2013-07-24 09:56:41|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNRE07One3eWLL3xDb6hzS0Mg2wAQUbr2hK87kwtUodFy92YxvBHIqBt4CEEABMwYqAAAAAAAAABVdAwk=|200|469|1886|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.16
192.168.0.181|3001 |2013-07-24 09:56:41|GET|/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRu8r8O84I+gJwXImcg9VB945olIgQUuSwJtTQq+f5cDf1vdovVkhrkYVYCEEABMwYqAAZPLJj2443EZYw=|200|473|1855|Opera/9.80 (Windows NT 5.2) Presto/2.12.388 Version/12.16
Please verify this issue again.
Robin
Robin Lin
Jul 24, 2013, 9:25:00 PM7/24/13
to
TWCA audit report update(WebTrust seal renew)
WebTrust for CA
https://cert.webtrust.org/ViewSeal?id=1405
WebTrust for EV
https://cert.webtrust.org/ViewSeal?id=1323
WebTrust for CA
https://cert.webtrust.org/ViewSeal?id=1405
WebTrust for EV
https://cert.webtrust.org/ViewSeal?id=1323
Erwann Abalea
Jul 25, 2013, 9:34:41 AM7/25/13
to
Le jeudi 25 juillet 2013 03:08:20 UTC+2, Robin Lin a écrit :
> Erwann Abalea於 2013年7月24日星期三UTC+8上午1時01分41秒寫道:
> > Le vendredi 21 juin 2013 20:26:13 UTC+2, Kathleen Wilson a écrit :
> > > TWCA has applied to include the “TWCA Global Root CA” root certificate,
> > > turn on all three trust bits, and enable EV treatment. This SHA-256 root
> > > will eventually replace the SHA-1 “TWCA Root Certification Authority”
> > > root certificate that was included in NSS per bug #518503.
> > [...]
> >
> > > * OCSP
> > > http://RootOcsp.twca.com.tw/
> > > http://evsslocsp.twca.com.tw
> >
> > Those 2 responders reject a GET request with a "malformedRequest" error.
>
> Hi,
>
> We tested OCSP with HTTP GET using different clients(Opera, Chrome, wget) and found no problem. The problem has been resolved.
>
> The access log are as follow:
[...]
> Erwann Abalea於 2013年7月24日星期三UTC+8上午1時01分41秒寫道:
> > Le vendredi 21 juin 2013 20:26:13 UTC+2, Kathleen Wilson a écrit :
> > > TWCA has applied to include the “TWCA Global Root CA” root certificate,
> > > turn on all three trust bits, and enable EV treatment. This SHA-256 root
> > > will eventually replace the SHA-1 “TWCA Root Certification Authority”
> > > root certificate that was included in NSS per bug #518503.
> > [...]
> >
> > > * OCSP
> > > http://RootOcsp.twca.com.tw/
> > > http://evsslocsp.twca.com.tw
> >
> > Those 2 responders reject a GET request with a "malformedRequest" error.
>
> Hi,
>
> We tested OCSP with HTTP GET using different clients(Opera, Chrome, wget) and found no problem. The problem has been resolved.
>
> The access log are as follow:
>
> Please verify this issue again.
I checked again, and it was caused by setting a "Content-type: application/ocsp-request" header for a GET request, which isn't necessary.
> Please verify this issue again.
My fault.
Kathleen Wilson
Jul 25, 2013, 1:05:59 PM7/25/13
to mozilla-dev-s...@lists.mozilla.org
Does anyone else have questions or comments on this request?
Thanks,
Kathleen
Kathleen Wilson
Jul 26, 2013, 1:03:42 PM7/26/13
to mozilla-dev-s...@lists.mozilla.org
https://bugzilla.mozilla.org/show_bug.cgi?id=810133
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
0 new messages