Great feedback. This is exactly the type of input needed to get clarity around
operating OCSP responder services for certificates in the WebPKI ecosystem.
> I think an important part missing from this, overall, is to highlight that
> these clauses only apply with respect to definitive
On Fri, Sep 20, 2019 at 4:20 PM Curt Spann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> This is a great discussion and I want to thank everyone for their
> continued input. Let me try and summarize my interpretation based on the
> input from this thread and related
I'll share this publicly, so that there's no suggestion that personally or
professionally Google Trust Services is treated any differently than any
other CA. As a publicly trusted CA, I personally find this a deeply
disappointing post towards positive engagement. It's disappointing because
it
Google Trust Services (GTS) reached out to Wayne directly, but I'm also posting
here as the conversation seems to be rapidly converging on solutions. GTS still
has reservations that the proposed solutions may be problematic to implement
and may leave a number of CAs and one very common CA
This is a great discussion and I want to thank everyone for their continued
input. Let me try and summarize my interpretation based on the input from this
thread and related RFC.
My interpretation is an “unknown” OCSP response should be used in the following
conditions:
1. When the OCSP
On Fri, Sep 20, 2019 at 4:56 AM Dimitris Zacharopoulos
wrote:
>
>
> Using the following practice as described in RFC 6960 should not be a
> violation of the BRs. That is, answering revoked where a pre-certificate
> has been issued but not the final certificate should be OK as long as the
>
On Fri, Sep 20, 2019 at 9:58 AM Rob Stradling wrote:
> On 19/09/2019 21:01, Ryan Sleevi wrote:
>
> > It would be helpful for one of the relevant documents, or another
> > document, or even an errata, to clarify that OCSP services can be
> > offered for pre-certificates. It’s merely
On 19/09/2019 21:01, Ryan Sleevi wrote:
> It would be helpful for one of the relevant documents, or another
> document, or even an errata, to clarify that OCSP services can be
> offered for pre-certificates. It’s merely a question of clarifying
> the technical requirements about
On 16/09/2019 18:08, Andrew Ayer wrote:
> On Fri, 13 Sep 2019 08:22:21 +
> Rob Stradling via dev-security-policy
> wrote:
>
>> Thinking aloud...
>> Does anything need to be clarified in 6962-bis though?
>
> Yes, it's long past time that we clarified what this means:
Thanks Andrew. I'll
Dear Wayne,
According to section 2.2 of RFC 6960, an OCSP responder may respond
"revoked" for a "non-issued" Certificate. It even allows this response
for "unknown" Certificates in order to support backwards compatibility
with implementations of RFC 2560.
In addition to that, section 4.4.8
10 matches
Mail list logo
