Ernst & Young Poland: KIR OCSP "unknown" status for revoked certificate

The case involves Krajowa Izba Rozliczeniowa S.A. (KIR) and their handling of OCSP responses for revoked certificates. KIR's auditor, T-Systems, recommended maintaining an 'unknown' status for OCSP responses until certificates are delivered to customers, which raised compliance concerns with WebTrust standards. The discussion highlighted the distinction between qualified and non-qualified certificates, with the latter now aligned with WebTrust. Ultimately, the bug was resolved as invalid due to the clarification that qualified certificates are out of scope for Mozilla's root store policy.

1. 2019-02-04 Initial report of OCSP status issue
2. 2020-05-06 Clarification provided regarding auditor recommendations
3. 2020-05-08 Bug closed as invalid