Re: OCSP responder support for SHA256 issuer identifier info

2019-10-08 Thread Tomas Gustavsson via dev-security-policy
-Original Message- > From: dev-security-policy On > Behalf Of Tomas Gustavsson via dev-security-policy > Sent: Friday, October 4, 2019 1:45 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: OCSP responder support for SHA256 issuer identifier info > &

Re: OCSP responder support for SHA256 issuer identifier info

2019-10-04 Thread Tomas Gustavsson via dev-security-policy
I was pointed to this interesting discussion. We were forced to support requests with SHA256 in CertID back in 2014. Not for any relevant security reasons, just because some stubborn auditors saw a red flag on the mentioning of SHA-1. We've implemented it by having both hashes in the lookup

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-09-02 Thread Tomas Gustavsson via dev-security-policy
On Friday, August 30, 2019 at 8:58:17 PM UTC+2, Ryan Sleevi wrote: > On Fri, Aug 30, 2019 at 11:26 AM Jeremy Rowley via dev-security-policy < > Despite all of the writing above, I'm too lazy to copy/paste my comment > from the Let's Encrypt issue, but I would hope any CA contemplating things >

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-09-02 Thread Tomas Gustavsson via dev-security-policy
fusing imo. > ____ > From: dev-security-policy on > behalf of Tomas Gustavsson via dev-security-policy > > Sent: Saturday, August 31, 2019 9:00:08 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re: 2019.08.2

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-31 Thread Tomas Gustavsson via dev-security-policy
ntent to issue’ is fulfilled. > > Note that even if you argue that “revoked”, “invalid”, or “unknown” are > appropriate, the RFC still permits “good” as a response because no > certificates with that serial number are revoked. Good is the safe answer. Was there not a plan in CABF on allowing una

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-31 Thread Tomas Gustavsson via dev-security-policy
Hi, I find and hear a few non conclusive, sometimes contradictory, messages about OCSP responder handling of pre-certificates without final certificates. Reading this thread I don't find a firm conclusion either (albeit I may have missed it). I'm not saying anything others have not said before,

Re: Open Source CA Software

2019-03-15 Thread Tomas Gustavsson via dev-security-policy
Hi, It might have been found, but there's a good chance it would have been bypassed anyhow. Since it was not a bug in the code, you would have to had analyzed it in the context of the discussions around b164, which I think there are probably very few people who could/would. I may be wrong, and

Re: EJBCA defaulting to 63 bit serial numbers

2019-03-09 Thread Tomas Gustavsson via dev-security-policy
Hi, As others have already pointed out the subject in this thread is incorrect. There are no, and has never been any, 63 bit serial numbers created by EJBCA. As the specific topic has already been discussed, I just wanted to reference to the post[1] with technical details, if anyone ends up