Jakob, I don't see what is wrong with Jonathan reporting these issues. The authors and ratifiers of the BRs made the choice to specify these small details. While a minor encoding error is certainly not as alarming as say, issuing an md5 signed certificate, it is still an error and is worth reporting.
I believe it is decidedly off-topic to debate what BR violations are worth reporting. If you think certain BR rules are outdated or sub-par, I am sure the community would welcome that discussion but it should be its own thread. -Vincent On Mon, Aug 7, 2017 at 4:57 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 07/08/2017 22:47, Jonathan Rudenberg wrote: > >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder >> URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI >> is required to have the plaintext HTTP scheme according to Baseline >> Requirements section 7.1.2.2(c). >> >> Here’s the list of certificates: https://misissued.com/batch/4/ >> >> Jonathan >> >> > Why are you so obsessed with the least significant BR requirements? > > The original prohibition on https revocation URLs was based on the risk > that CAs might misconfigure this in a way that causes infinite recursion > in clients checking that particular https certificate for revocation. > > This was before mass-surveillance became such a big issue, and might > have been decided otherwise today. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Vincent Lynch _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
