Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tuesday, August 15, 2017 at 4:42:06 PM UTC-4, Eric Mill wrote: > On Tue, Aug 15, 2017 at 2:47 PM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > We have been moderately successful in replacing the five (5) > > certificates. One (1) has been

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tue, Aug 15, 2017 at 2:47 PM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We have been moderately successful in replacing the five (5) > certificates. One (1) has been voluntarily replaced, we have a commitment > from our client to initiate a

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Friday, August 11, 2017 at 6:05:29 PM UTC-4, paul.l...@gmail.com wrote: > On Friday, August 11, 2017 at 3:43:17 PM UTC-5, iden...@gmail.com wrote: > > IdenTrust is fully aware of the situation and has consulted with internal > > and external parties to ensure that our course of action is

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tuesday, August 15, 2017 at 1:51:36 AM UTC-4, Eric Mill wrote: > On Fri, Aug 11, 2017 at 4:43 PM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Thursday, August 10, 2017 at 11:51:54 PM UTC-4, Eric Mill wrote: > > > On Thu, Aug 10, 2017 at 11:34

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 07/08/17 22:30, Jakob Bohm wrote: > Since the CT made it possible, I have seen an increasing obsession with > enforcing every little detail of the BRs, things that would not only > have gone unnoticed, but also been considered unremarkable before CT. I am firmly of the opinion that all BR and

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Fri, Aug 11, 2017 at 4:43 PM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, August 10, 2017 at 11:51:54 PM UTC-4, Eric Mill wrote: > > On Thu, Aug 10, 2017 at 11:34 AM, identrust--- via dev-security-policy < > >

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Friday, August 11, 2017 at 3:43:17 PM UTC-5, iden...@gmail.com wrote: > IdenTrust is fully aware of the situation and has consulted with internal and > external parties to ensure that our course of action is appropriate and > commensurate with our business practices and accommodates our

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Thursday, August 10, 2017 at 11:51:54 PM UTC-4, Eric Mill wrote: > On Thu, Aug 10, 2017 at 11:34 AM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > We acknowledge seeing this issue and are looking into it. > > Details will be supplied as soon we

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Thu, Aug 10, 2017 at 11:34 AM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > We acknowledge seeing this issue and are looking into it. > Details will be supplied as soon we can but not later that today’s end of > business day. > Thanks for looking

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Wednesday, August 9, 2017 at 11:59:42 PM UTC-4, Lee wrote: > On 8/9/17, Eric Mill wrote: > > On Wed, Aug 9, 2017 at 4:28 PM, Lee wrote: > > > >> On 8/9/17, Eric Mill via dev-security-policy > >> wrote: > >> > On Tue,

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Monday, August 7, 2017 at 3:47:39 PM UTC-5, Jonathan Rudenberg wrote: > “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL > that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is > required to have the plaintext HTTP scheme according to Baseline

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 8/9/17, Eric Mill wrote: > On Wed, Aug 9, 2017 at 4:28 PM, Lee wrote: > >> On 8/9/17, Eric Mill via dev-security-policy >> wrote: >> > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy < >> >

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Wed, Aug 9, 2017 at 4:28 PM, Lee wrote: > On 8/9/17, Eric Mill via dev-security-policy > wrote: > > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> On

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 8/9/17, Eric Mill via dev-security-policy wrote: > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote: >> >

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote: > > > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy < >

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote: > “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL > that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is > required to have the plaintext HTTP scheme according to Baseline

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy > > wrote: > > > > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote: > >> “IdenTrust ACES

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy > > wrote: > > > > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote: > >> “IdenTrust ACES

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 08/08/2017 19:44, Ryan Sleevi wrote: On Tuesday, August 8, 2017 at 8:52:54 PM UTC+9, Jakob Bohm wrote: On 08/08/2017 12:54, Nick Lamb wrote: On Monday, 7 August 2017 22:31:34 UTC+1, Jakob Bohm wrote: Since the CT made it possible, I have seen an increasing obsession with enforcing every

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tuesday, August 8, 2017 at 8:52:54 PM UTC+9, Jakob Bohm wrote: > On 08/08/2017 12:54, Nick Lamb wrote: > > On Monday, 7 August 2017 22:31:34 UTC+1, Jakob Bohm wrote: > >> Since the CT made it possible, I have seen an increasing obsession with > >> enforcing every little detail of the BRs,

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

> On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy > wrote: > > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote: >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder >> URL that has a HTTPS

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

Luckily we have tools like certlint, which can be run on certificates to catch this stuff! I'd feel very differently if CAs were starting these threads because they'd caught issues with certlint, than the fact that independent researchers are noticing. Alex On Tue, Aug 8, 2017 at 7:52 AM, Jakob

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 08/08/2017 12:54, Nick Lamb wrote: On Monday, 7 August 2017 22:31:34 UTC+1, Jakob Bohm wrote: Since the CT made it possible, I have seen an increasing obsession with enforcing every little detail of the BRs, things that would not only have gone unnoticed, but also been considered

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Monday, 7 August 2017 22:31:34 UTC+1, Jakob Bohm wrote: > Since the CT made it possible, I have seen an increasing obsession with > enforcing every little detail of the BRs, things that would not only > have gone unnoticed, but also been considered unremarkable before CT. Even if I had no

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tuesday, August 8, 2017 at 6:31:34 AM UTC+9, Jakob Bohm wrote: > On 07/08/2017 23:05, Vincent Lynch wrote: > > Jakob, > > > > I don't see what is wrong with Jonathan reporting these issues. The authors > > and ratifiers of the BRs made the choice to specify these small details. > > While a

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

> Do we really want the CA community to be filled with bureaucratic > enforcement of harsh punishments for every slight misstep? This is the > important question that any organization (in this case this community) > needs to ask itself whenever new surveillance abilities make it possible > to

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 07/08/2017 23:05, Vincent Lynch wrote: Jakob, I don't see what is wrong with Jonathan reporting these issues. The authors and ratifiers of the BRs made the choice to specify these small details. While a minor encoding error is certainly not as alarming as say, issuing an md5 signed

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

> On Aug 7, 2017, at 16:57, Jakob Bohm via dev-security-policy > wrote: > > On 07/08/2017 22:47, Jonathan Rudenberg wrote: >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder >> URL that has a HTTPS URI scheme. This is not valid,

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

Jakob, I don't see what is wrong with Jonathan reporting these issues. The authors and ratifiers of the BRs made the choice to specify these small details. While a minor encoding error is certainly not as alarming as say, issuing an md5 signed certificate, it is still an error and is worth

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 07/08/2017 22:47, Jonathan Rudenberg wrote: “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is required to have the plaintext HTTP scheme according to Baseline Requirements section

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

> On Aug 7, 2017, at 16:47, Jonathan Rudenberg via dev-security-policy > wrote: > > “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL > that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is > required to