On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote:
> > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy 
> > <dev-security-policy@lists.mozilla.org> wrote:
> > 
> > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote:
> >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder 
> >> URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI 
> >> is required to have the plaintext HTTP scheme according to Baseline 
> >> Requirements section
> >> 
> >> Here’s the list of certificates: https://misissued.com/batch/4/
> >> 
> >> Jonathan
> > 
> > IdenTrust had previously interpreted HTTP to be inclusive of HTTPS in this 
> > context.  That being said, we have altered our profiles for certificates 
> > issued under this Sub CA to include only HTTP OCSP URLs.  All certificates 
> > issued going forward will contain an HTTP OCSP URL.  We will also examine 
> > all 
> > other sub CA to ensure only HTTP OCSP URLs are included.  Thank you for 
> > giving 
> > us an opportunity to address this with the community
> Thanks for the update.
> Can you also clarify why the subject organizationName is "U.S. Government” 
> for all of these certificates, despite the other subject fields indicating 
> organizations that are not a component of the US Government?
> Jonathan

IdenTrust ACES SSL Certificates are issued in accordance with the ACES 
certificate policy defined by U.S. General Service Administration 
 and the GSA approved IdenTrust CPS 
These ACES SSL certificates are issued to either U.S. Government agencies 
and/or their sub-contractors in support of government programs\projects.  The 
CP requires an approved CA, such as IdenTrust, to identify U.S. Government in 
subject organizationName along with other applicable organizations (e.g. 
sub-contractors, or local government agency, etc...).
dev-security-policy mailing list

Reply via email to