On 07/08/2017 22:47, Jonathan Rudenberg wrote:
“IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL
that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is
required to have the plaintext HTTP scheme according to Baseline Requirements
section 7.1.2.2(c).
Here’s the list of certificates: https://misissued.com/batch/4/
Jonathan
Why are you so obsessed with the least significant BR requirements?
The original prohibition on https revocation URLs was based on the risk
that CAs might misconfigure this in a way that causes infinite recursion
in clients checking that particular https certificate for revocation.
This was before mass-surveillance became such a big issue, and might
have been decided otherwise today.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
