[8] 7174966: With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate
Tomas Gustavsson
tomas at primekey.se
Thu May 30 10:51:28 UTC 2013
It was at some point common to require digitalSignature. Many years ago
when we developed support for OCSP in EJBCA, Mozilla browsers would not
accept OCSP responses with only keyCertSign and crlSign.
DigitalSignature was needed as well. So at least it was common behaviour
some years ago.
I don't know if FireFox ha changed that, I guess so as it seems unlikely
Comodo would not work with FireFox.
RFC2560 does not specify anything about key usage, so my guess is that
the CABForum has determined what browsers and public CAs should/could use.
Will try without digitalSignature in FireFox now :-)
Cheers,
Tomas
On 05/29/2013 04:55 PM, Matthew Hall wrote:
> Comodo used the root cert to sign the responses, which the RFC allows. I think Java is getting carried away with strictness on this.
>
More information about the security-dev
mailing list