Re: DigiCert OCSP services returns 1 byte

2019-09-16 Thread Andrew Ayer via dev-security-policy
On Fri, 13 Sep 2019 08:22:21 + Rob Stradling via dev-security-policy wrote: > Thinking aloud... > Does anything need to be clarified in 6962-bis though? Yes, it's long past time that we clarified what this means: "This signature indicates the CA's intent to issue the certificate. This

Re: DigiCert OCSP services returns 1 byte

2019-09-16 Thread Ryan Sleevi via dev-security-policy
On Mon, Sep 16, 2019 at 3:25 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 16/09/2019 19:08, Andrew Ayer wrote: > > On Fri, 13 Sep 2019 08:22:21 + > > Rob Stradling via dev-security-policy > > wrote: > > > >> Thinking aloud... > >> Does anything

Re: DigiCert OCSP services returns 1 byte

2019-09-16 Thread Jakob Bohm via dev-security-policy
On 16/09/2019 19:08, Andrew Ayer wrote: > On Fri, 13 Sep 2019 08:22:21 + > Rob Stradling via dev-security-policy > wrote: > >> Thinking aloud... >> Does anything need to be clarified in 6962-bis though? > > Yes, it's long past time that we clarified what this means: > > "This signature

Re: DigiCert OCSP services returns 1 byte

2019-09-16 Thread Wayne Thayer via dev-security-policy
On Mon, Sep 16, 2019 at 5:02 AM Rob Stradling wrote: > On 14/09/2019 00:27, Andrew Ayer via dev-security-policy wrote: > > > If a certificate (with embedded SCTs and no CT poison extension) is > "presumed to exist" but the CA has not actually issued it, then to my > mind that's a "certificate

Re: DigiCert OCSP services returns 1 byte

2019-09-16 Thread Rob Stradling via dev-security-policy
On 13/09/2019 19:24, Tim Hollebeek wrote: > Yes, but I think this clarifies things in the wrong direction. Hi Tim. I'm not clear what you mean. I was talking specifically and only about what IETF could/should do regarding this matter. Which part did you disagree with, and why? > -Tim > >>

Re: DigiCert OCSP services returns 1 byte

2019-09-16 Thread Rob Stradling via dev-security-policy
On 14/09/2019 00:27, Andrew Ayer via dev-security-policy wrote: > Here's some suggested wording for the last paragraph: > >> This means, for example, that (i) a CA must provide OCSP services >> and responses in accordance with Mozilla policy for all certificates >> presumed to exist based on the