> On Aug 7, 2017, at 16:57, Jakob Bohm via dev-security-policy > <[email protected]> wrote: > > On 07/08/2017 22:47, Jonathan Rudenberg wrote: >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder >> URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI >> is required to have the plaintext HTTP scheme according to Baseline >> Requirements section 7.1.2.2(c). >> Here’s the list of certificates: https://misissued.com/batch/4/ >> Jonathan > > Why are you so obsessed with the least significant BR requirements?
I’m not convinced this is insignificant. NSS only supports http:// URLs for OCSP, and I suspect the majority of OCSP clients do the same. https://hg.mozilla.org/projects/nss/file/3c4f0e9f6e45/lib/certhigh/ocsp.c#l2844 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
