[cabfpub] Fwd: Re: SHA-256 support

Wan-Teh Chang wtc at google.com
Wed Nov 27 23:01:16 UTC 2013

On Tue, Nov 26, 2013 at 2:54 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
> Thanks Gerv.  I think Bob's and Wan-Teh's answers only cover signatures
> on certificates.  CAs will also need clients to support SHA-2-based
> signatures on OCSP Responses.
> 2 days ago Brian Smith wrote:
> "Note that currently NSS does not support SHA2 for OCSP completely yet."
> https://bugzilla.mozilla.org/show_bug.cgi?id=942515
> Which NSS and Firefox versions will support SHA-256/384/512-based
> signatures on OCSP Responses "completely"?

This issue has been clarified. The NSS bug that Brian Smith referred
to is https://bugzilla.mozilla.org/show_bug.cgi?id=663315. That bug is
not about SHA-256/384/512-based signatures on OCSP responses.

So NSS 3.11.4 and later should be able to verify SHA-256/384/512-based
signatures on OCSP responses.

Wan-Teh Chang

More information about the Public mailing list