On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote:
> > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy 
> > <dev-security-policy@lists.mozilla.org> wrote:
> > 
> > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote:
> >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder 
> >> URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI 
> >> is required to have the plaintext HTTP scheme according to Baseline 
> >> Requirements section 7.1.2.2(c).
> >> 
> >> Here’s the list of certificates: https://misissued.com/batch/4/
> >> 
> >> Jonathan
> > 
> > IdenTrust had previously interpreted HTTP to be inclusive of HTTPS in this 
> > context.  That being said, we have altered our profiles for certificates 
> > issued under this Sub CA to include only HTTP OCSP URLs.  All certificates 
> > issued going forward will contain an HTTP OCSP URL.  We will also examine 
> > all 
> > other sub CA to ensure only HTTP OCSP URLs are included.  Thank you for 
> > giving 
> > us an opportunity to address this with the community
> 
> Thanks for the update.
> 
> Can you also clarify why the subject organizationName is "U.S. Government” 
> for all of these certificates, despite the other subject fields indicating 
> organizations that are not a component of the US Government?
> 
> Jonathan

Yes,
IdenTrust ACES SSL Certificates are issued in accordance with the ACES
certificate policy defined by U.S. General Service Administration 
(http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/documents/ACES-CP-v3-2_signed_05122017.pdf)
 
and the GSA approved IdenTrust CPS
(https://secure.identrust.com/certificates/policy/aces/IdenTrust_ACES_CPS_v5.1_20161110.pdf)
These ACES SSL certificates are issued to either U.S. Government agencies
and/or their sub-contractors in support of government programs\projects.  The
CP requires an approved CA, such as IdenTrust, to identify U.S. Government in
subject organizationName along with other applicable organizations (e.g.
sub-contractors, or local government agency, etc...).
Marco Schambach
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
              • Re:... Jonathan Rudenberg via dev-security-policy
              • Re:... identrust--- via dev-security-policy
              • Re:... identrust--- via dev-security-policy
              • Re:... Jeremy Rowley via dev-security-policy
              • Re:... Gervase Markham via dev-security-policy
              • Re:... Jeremy Rowley via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • Re:... Jeremy Rowley via dev-security-policy
              • Re:... Ryan Sleevi via dev-security-policy
              • Re:... identrust--- via dev-security-policy
      • Re: Certificates iss... identrust--- via dev-security-policy
  • Re: Certificates issued with ... identrust--- via dev-security-policy
  • Re: Certificates issued with ... branden.dickerson--- via dev-security-policy

Reply via email to