Re: DigiCert OCSP services returns 1 byte

I've gone ahead and moved [4] to the "Recommended Practices" section. The ballot to modify the BRs is now in the formal discussion period leading up to a vote [5]. I'll be resolving the existing compliance bugs on this issue as INVALID. I'd like to thank the CAs that proactively submitted

Re: DigiCert OCSP services returns 1 byte

On 02/10/2019 00:51, Wayne Thayer wrote: > On Tue, Oct 1, 2019 at 3:34 AM Rob Stradling wrote: > > I propose that you update [4] to say that Mozilla won't treat > non-compliance with [4] as an "incident" whilst it remains the case > that the BRs are inconsistent with [4]. > > I could

Re: DigiCert OCSP services returns 1 byte

On Tue, Oct 1, 2019 at 3:34 AM Rob Stradling wrote: > > I propose that you update [4] to say that Mozilla won't treat > non-compliance with [4] as an "incident" whilst it remains the case that > the BRs are inconsistent with [4]. > > I could simply move [4] to a "recommended practice" (SHOULD)

Re: DigiCert OCSP services returns 1 byte

On 01/10/2019 00:45, Wayne Thayer via dev-security-policy wrote: > I've initiated a CAB Forum ballot [1] to resolve the inconsistency that Rob > identified. Thanks Wayne. I've offered to endorse. > I also want to acknowledge the feedback from Google on the timing of this. > I can appreciate the

Re: DigiCert OCSP services returns 1 byte

I've initiated a CAB Forum ballot [1] to resolve the inconsistency that Rob identified. I also want to acknowledge the feedback from Google on the timing of this. I can appreciate the framing of this as a new policy that's been added without due process, but I view this as a clarification of

Re: DigiCert OCSP services returns 1 byte

On Wed, Sep 25, 2019, 06:30 Neil Dunbar via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > > On 24 Sep 2019, at 07:35, Clint Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > > […] it seems like one useful change for us > > here

Re: DigiCert OCSP services returns 1 byte

> On 24 Sep 2019, at 07:35, Clint Wilson via dev-security-policy > wrote: > > > […] it seems like one useful change for us > here may be to issue those final certs without the SCTs rather than > abandoning the pre-cert as we do today. We'd obviously still need to > re-attempt issuance of

Re: DigiCert OCSP services returns 1 byte

On Tue, Sep 24, 2019 at 5:06 AM Ryan Sleevi wrote: > > > On Tue, Sep 24, 2019 at 2:36 AM Clint Wilson wrote: > >> On Mon, Sep 23, 2019 at 6:29 PM Ryan Sleevi via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> Agreed especially with the final paragraph here. >>

Re: DigiCert OCSP services returns 1 byte

Bonjour, Le vendredi 20 septembre 2019 22:20:02 UTC+2, Curt Spann a écrit : [...] > My interpretation is a “revoked” OCSP response should be used in the > following conditions: [...] > 2. When the OCSP request contains an issuerNameHash and issuerKeyHash for > which the OCSP responder IS

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 23, 2019 at 6:29 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, Sep 23, 2019 at 11:53 PM Andy Warner via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > The practice of revoking non-issued certificates would

Re: DigiCert OCSP services returns 1 byte

On Tue, Sep 24, 2019 at 2:36 AM Clint Wilson wrote: > On Mon, Sep 23, 2019 at 6:29 PM Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Yup. And it’s been repeatedly acknowledged that is perfectly fine. The >> proposed language further considers that, but

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 23, 2019 at 11:53 PM Andy Warner via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The practice of revoking non-issued certificates would therefore lead to > CRL growth which would further make reliable revocation checking on > bandwidth constrained clients

Re: DigiCert OCSP services returns 1 byte

> The CRL question is not about it being a requirement, but rather the fact > that it could / would lead to disparate treatment between CRL and OCSP for > the same certificate, which does not feel right. The CRL would only grow if the (pre-cert || cert) needed to be revoke for any reason. CRLs

Re: DigiCert OCSP services returns 1 byte

The CRL question is not about it being a requirement, but rather the fact that it could / would lead to disparate treatment between CRL and OCSP for the same certificate, which does not feel right. On the CT quorum issue, we use a mix of the most available sharded logs and that is the failure

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 23, 2019 at 02:53:26PM -0700, Andy Warner via dev-security-policy wrote: > > 1. The new text added to the Mozilla Recommended and Required Practices for > this topic states only OCSP status is required for precertificates. Many CAs > provide both CRLs and OCSP services and it would

Re: DigiCert OCSP services returns 1 byte

The last thing we intended was for our prior mail to be interpreted as negative and without substance.  That said, it is clear our mail was not received in the light in which it was intended. We would like to rectify that. We have been closely monitoring this thread and as it began to converge

Re: DigiCert OCSP services returns 1 byte

On 2019-09-23 5:00 μ.μ., Ryan Sleevi via dev-security-policy wrote: No. That’s the more dangerous approach which I’ve tried repeatedly to dissuade. You should produce, and distribute, the Good response with the pre-certificate. Understood. Thank you for the clear guidance. Dimitris.

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 23, 2019 at 8:50 AM Dimitris Zacharopoulos wrote: > > > On 2019-09-23 3:02 μ.μ., Ryan Sleevi wrote: > > It would be useful to identify whether there’s an objective to the > questions, since that might help us cut down things quicker: > - Are you running a 5019 responder or a 6960

Re: DigiCert OCSP services returns 1 byte

On 2019-09-23 3:02 μ.μ., Ryan Sleevi wrote: On Mon, Sep 23, 2019 at 12:50 PM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote: [...] Doesn't this break compatibility with older clients? It is older clients that need to see "revoked" which is equivalent to "not good"

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 23, 2019 at 12:50 PM Dimitris Zacharopoulos wrote: > > > On 2019-09-23 1:37 μ.μ., Ryan Sleevi via dev-security-policy wrote: > > On Mon, Sep 23, 2019 at 9:31 AM Dimitris Zacharopoulos via > > dev-security-policy wrote: > > > >> On 20/9/2019 11:00 μ.μ., Wayne Thayer wrote: > >>> On

Re: DigiCert OCSP services returns 1 byte

On 2019-09-23 1:37 μ.μ., Ryan Sleevi via dev-security-policy wrote: On Mon, Sep 23, 2019 at 9:31 AM Dimitris Zacharopoulos via dev-security-policy wrote: On 20/9/2019 11:00 μ.μ., Wayne Thayer wrote: On Fri, Sep 20, 2019 at 4:56 AM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote:

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 23, 2019 at 9:31 AM Dimitris Zacharopoulos via dev-security-policy wrote: > On 20/9/2019 11:00 μ.μ., Wayne Thayer wrote: > > On Fri, Sep 20, 2019 at 4:56 AM Dimitris Zacharopoulos > > mailto:ji...@it.auth.gr>> wrote: > > > > > > > > Using the following practice as described

Re: DigiCert OCSP services returns 1 byte

On 20/9/2019 11:00 μ.μ., Wayne Thayer wrote: On Fri, Sep 20, 2019 at 4:56 AM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote: Using the following practice as described in RFC 6960 should not be a violation of the BRs. That is, answering revoked where a pre-certificate

Re: DigiCert OCSP services returns 1 byte

Great feedback. This is exactly the type of input needed to get clarity around operating OCSP responder services for certificates in the WebPKI ecosystem. > I think an important part missing from this, overall, is to highlight that > these clauses only apply with respect to definitive

Re: DigiCert OCSP services returns 1 byte

On Fri, Sep 20, 2019 at 4:20 PM Curt Spann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This is a great discussion and I want to thank everyone for their > continued input. Let me try and summarize my interpretation based on the > input from this thread and related

Re: DigiCert OCSP services returns 1 byte

I'll share this publicly, so that there's no suggestion that personally or professionally Google Trust Services is treated any differently than any other CA. As a publicly trusted CA, I personally find this a deeply disappointing post towards positive engagement. It's disappointing because it

Re: DigiCert OCSP services returns 1 byte

Google Trust Services (GTS) reached out to Wayne directly, but I'm also posting here as the conversation seems to be rapidly converging on solutions. GTS still has reservations that the proposed solutions may be problematic to implement and may leave a number of CAs and one very common CA

Re: DigiCert OCSP services returns 1 byte

This is a great discussion and I want to thank everyone for their continued input. Let me try and summarize my interpretation based on the input from this thread and related RFC. My interpretation is an “unknown” OCSP response should be used in the following conditions: 1. When the OCSP

Re: DigiCert OCSP services returns 1 byte

On Fri, Sep 20, 2019 at 4:56 AM Dimitris Zacharopoulos wrote: > > > Using the following practice as described in RFC 6960 should not be a > violation of the BRs. That is, answering revoked where a pre-certificate > has been issued but not the final certificate should be OK as long as the >

Re: DigiCert OCSP services returns 1 byte

On Fri, Sep 20, 2019 at 9:58 AM Rob Stradling wrote: > On 19/09/2019 21:01, Ryan Sleevi wrote: > > > It would be helpful for one of the relevant documents, or another > > document, or even an errata, to clarify that OCSP services can be > > offered for pre-certificates. It’s merely

Re: DigiCert OCSP services returns 1 byte

On 19/09/2019 21:01, Ryan Sleevi wrote: > It would be helpful for one of the relevant documents, or another > document, or even an errata, to clarify that OCSP services can be > offered for pre-certificates.  It’s merely a question of clarifying > the technical requirements about

Re: DigiCert OCSP services returns 1 byte

On 16/09/2019 18:08, Andrew Ayer wrote: > On Fri, 13 Sep 2019 08:22:21 + > Rob Stradling via dev-security-policy > wrote: > >> Thinking aloud... >> Does anything need to be clarified in 6962-bis though? > > Yes, it's long past time that we clarified what this means: Thanks Andrew. I'll

Re: DigiCert OCSP services returns 1 byte

Dear Wayne, According to section 2.2 of RFC 6960, an OCSP responder may respond "revoked" for a "non-issued" Certificate. It even allows this response for "unknown" Certificates in order to support backwards compatibility with implementations of RFC 2560. In addition to that, section 4.4.8

Re: DigiCert OCSP services returns 1 byte

On Thu, Sep 19, 2019 at 2:55 PM Tim Hollebeek wrote: > I also don’t think it’s helpful to try to redefine long-standing and > well-understood terminology like what it means to issue a certificate. In > fact, I just checked, and using a definition like “reserving a serial > number” causes many

RE: DigiCert OCSP services returns 1 byte

Subject: Re: DigiCert OCSP services returns 1 byte On Thu, Sep 19, 2019 at 1:52 PM Tim Hollebeek via dev-security-policy mailto:dev-security-policy@lists.mozilla.org> > wrote: I think that's fine as Mozilla and/or the CABF can and should override RFCs when it makes sense to

Re: DigiCert OCSP services returns 1 byte

On Thu, Sep 19, 2019 at 1:52 PM Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I think that's fine as Mozilla and/or the CABF can and should override > RFCs when it makes sense to do so, but I think it would also be helpful in > the long term to fix the

RE: DigiCert OCSP services returns 1 byte

> Thanks Wayne. You're right. > > (I read the "SHOULD NOT" requirement, forgot it had been superseded, and > didn't read further. I wonder if it would be reasonable to remove the > superseded requirement from the BRs now, given that it was superseded over > 6 years ago?) Removing out of date

RE: DigiCert OCSP services returns 1 byte

k > Cc: Jeremy Rowley ; Alex Cohn > ; mozilla-dev-security-pol...@lists.mozilla.org; Wayne > Thayer > Subject: Re: DigiCert OCSP services returns 1 byte > > On 13/09/2019 19:24, Tim Hollebeek wrote: > > Yes, but I think this clarifies things in the wrong direction. >

Re: DigiCert OCSP services returns 1 byte

I have gone ahead and added a section titled "Precertificates" [1] to the Required Practices wiki page. I have also updated a policy issue [2] suggesting that this be moved into the Root Store policy, and added a new issue [3] suggesting that we clarify the acceptable use of the "unknown" OCSP

Re: DigiCert OCSP services returns 1 byte

Thanks Curt. Reading between the lines of Ryan's and your response, I'm thinking that we should specifically ban or limit the scope of "unknown" responses somewhere - perhaps in the BRs. Otherwise I think RFC 6960 leaves some room for a CA to argue that they are permitted to use that response in

Re: DigiCert OCSP services returns 1 byte

My interpretation is once a precertificate has been signed with the issuing CA key the corresponding OCSP service should only respond with "good" or "revoked". In this case an "unknown" response indicates the specific serial number for the issuing CA has not been assigned which isn’t the case.

Re: DigiCert OCSP services returns 1 byte

Version 3 of my proposal replaces Jeremy's suggested examples with Andrew and Ryan's: The current implementation of Certificate Transparency does not provide any > way for Relying Parties to determine if a certificate corresponding to a > given precertificate has or has not been issued. It is

Re: DigiCert OCSP services returns 1 byte

> On 17 Sep 2019, at 16:14, Ryan Sleevi via dev-security-policy > wrote: > > On Tue, Sep 17, 2019 at 10:00 AM Neil Dunbar via dev-security-policy < > dev-security-policy@lists.mozilla.org > > wrote: > >> >> >>> On 17 Sep 2019, at 14:34, Rob

Re: DigiCert OCSP services returns 1 byte

On Tue, Sep 17, 2019 at 10:00 AM Neil Dunbar via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > > On 17 Sep 2019, at 14:34, Rob Stradling via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Hi Kurt. I agree, hence why I proposed: > > > >

Re: DigiCert OCSP services returns 1 byte

> On 17 Sep 2019, at 14:34, Rob Stradling via dev-security-policy > wrote: > > Hi Kurt. I agree, hence why I proposed: > > "- I would also like to see BR 4.9.10 revised to say something roughly > along these lines: >'If the OCSP responder receives a status request for a serial number

Re: DigiCert OCSP services returns 1 byte

On 17/09/2019 08:01, Kurt Roeckx via dev-security-policy wrote: > On 2019-09-16 14:02, Rob Stradling wrote: >> >> ISTM that this "certificate presumed to exist" concept doesn't play >> nicely with the current wording of BR 4.9.10: >>     'If the OCSP responder receives a request for status of a

Re: DigiCert OCSP services returns 1 byte

On 16/09/2019 23:58, Wayne Thayer wrote: > On Mon, Sep 16, 2019 at 5:02 AM Rob Stradling wrote: > And so at this point ISTM that the OCSP responder is expected to > implement two conflicting requirements for the serial number in > question: >    (1) MUST respond "good", because

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 16, 2019 at 6:59 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, Sep 16, 2019 at 5:02 AM Rob Stradling wrote: > > > On 14/09/2019 00:27, Andrew Ayer via dev-security-policy wrote: > > > > > > If a certificate (with embedded SCTs and

Re: DigiCert OCSP services returns 1 byte

On 2019-09-16 14:02, Rob Stradling wrote: ISTM that this "certificate presumed to exist" concept doesn't play nicely with the current wording of BR 4.9.10: 'If the OCSP responder receives a request for status of a certificate that has not been issued, then the responder SHOULD NOT

Re: DigiCert OCSP services returns 1 byte

On 17/09/2019 00:58, Wayne Thayer wrote: > On Mon, Sep 16, 2019 at 5:02 AM Rob Stradling wrote: > >> On 14/09/2019 00:27, Andrew Ayer via dev-security-policy wrote: >> >> >> If a certificate (with embedded SCTs and no CT poison extension) is >> "presumed to exist" but the CA has not actually

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 16, 2019 at 5:02 AM Rob Stradling wrote: > On 14/09/2019 00:27, Andrew Ayer via dev-security-policy wrote: > > > If a certificate (with embedded SCTs and no CT poison extension) is > "presumed to exist" but the CA has not actually issued it, then to my > mind that's a "certificate

Re: DigiCert OCSP services returns 1 byte

On Mon, Sep 16, 2019 at 3:25 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 16/09/2019 19:08, Andrew Ayer wrote: > > On Fri, 13 Sep 2019 08:22:21 + > > Rob Stradling via dev-security-policy > > wrote: > > > >> Thinking aloud... > >> Does anything

Re: DigiCert OCSP services returns 1 byte

On 16/09/2019 19:08, Andrew Ayer wrote: > On Fri, 13 Sep 2019 08:22:21 + > Rob Stradling via dev-security-policy > wrote: > >> Thinking aloud... >> Does anything need to be clarified in 6962-bis though? > > Yes, it's long past time that we clarified what this means: > > "This signature

Re: DigiCert OCSP services returns 1 byte

On Fri, 13 Sep 2019 08:22:21 + Rob Stradling via dev-security-policy wrote: > Thinking aloud... > Does anything need to be clarified in 6962-bis though? Yes, it's long past time that we clarified what this means: "This signature indicates the CA's intent to issue the certificate. This

Re: DigiCert OCSP services returns 1 byte

On 14/09/2019 00:27, Andrew Ayer via dev-security-policy wrote: > Here's some suggested wording for the last paragraph: > >> This means, for example, that (i) a CA must provide OCSP services >> and responses in accordance with Mozilla policy for all certificates >> presumed to exist based on the

Re: DigiCert OCSP services returns 1 byte

; -Tim > >> -Original Message- >> From: Rob Stradling >> Sent: Friday, September 13, 2019 4:22 AM >> To: Tim Hollebeek ; Jeremy Rowley >> ; Alex Cohn >> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Wayne Thayer >> >> Subject: Re: DigiCe

Re: DigiCert OCSP services returns 1 byte

Hi Wayne, > > This means, for example, that (i) a CA must provide OCSP services and > > responses in accordance with Mozilla policy for all Precertificates as if > > the corresponding certificate exists, and (ii) a CA must be able to revoke > > a Precertificate if revocation of the certificate is

Re: DigiCert OCSP services returns 1 byte

om: Rob Stradling > > Sent: Friday, September 13, 2019 4:22 AM > > To: Tim Hollebeek ; Jeremy Rowley > > ; Alex Cohn > > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Wayne Thayer > > > > Subject: Re: DigiCert OCSP services returns 1 byte > > > &g

RE: DigiCert OCSP services returns 1 byte

; >> -Original Message- > >> From: dev-security-policy > >> On Behalf Of Jeremy > >> Rowley via dev-security-policy > >> Sent: Thursday, September 12, 2019 1:46 PM > >> To: Alex Cohn > >> Cc: mozilla-dev-security-pol...@lists.mozilla.or

RE: DigiCert OCSP services returns 1 byte

that there seems to be a growing consensus for. -Tim From: Ryan Sleevi Sent: Thursday, September 12, 2019 6:44 PM To: Tim Hollebeek Cc: Jeremy Rowley ; Alex Cohn ; mozilla-dev-security-pol...@lists.mozilla.org; Wayne Thayer Subject: Re: DigiCert OCSP services returns 1 byte

Re: DigiCert OCSP services returns 1 byte

tent is that a CT-naïve OCSP checker would work normally when >> presented with a precert or a certificate. Afterall, a precert is really >> just a >> certificate with a special extension. >> >> From: Alex Cohn >> Sent: Thursday, September 12, 2019 9:25 AM >&

Re: DigiCert OCSP services returns 1 byte

:40 PM > To: Alex Cohn > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Wayne Thayer < > wtha...@mozilla.com>; Jeremy Rowley > Subject: Re: DigiCert OCSP services returns 1 byte > > On Thu, Sep 12, 2019 at 11:25 AM Alex Cohn via dev-security-policy < > dev-security-p

RE: DigiCert OCSP services returns 1 byte

...@sleevi.com; Alex Cohn Cc: mozilla-dev-security-pol...@lists.mozilla.org; Jeremy Rowley ; Wayne Thayer Subject: RE: DigiCert OCSP services returns 1 byte Why would a user agent view a pre-certificate as "evidence that an equivalent certificate exists"? It's evidence that it m

RE: DigiCert OCSP services returns 1 byte

--Original Message- From: dev-security-policy On Behalf Of Ryan Sleevi via dev-security-policy Sent: Thursday, September 12, 2019 6:40 PM To: Alex Cohn Cc: mozilla-dev-security-pol...@lists.mozilla.org; Wayne Thayer ; Jeremy Rowley Subject: Re: DigiCert OCSP services returns 1 byte On Thu, Se

Re: DigiCert OCSP services returns 1 byte

Neil's interpretation of my poorly-worded question was correct - thank you and apologies for the confusion. On Thu, Sep 12, 2019 at 5:39 PM Ryan Sleevi wrote: > > On Thu, Sep 12, 2019 at 11:25 AM Alex Cohn via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Should a

Re: DigiCert OCSP services returns 1 byte

:46 PM > > To: Alex Cohn > > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Wayne Thayer > > > > Subject: RE: DigiCert OCSP services returns 1 byte > > > > The language says you have to provide the response for the cert as if it > exists, > &

Re: DigiCert OCSP services returns 1 byte

On Thu, Sep 12, 2019 at 11:25 AM Alex Cohn via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, Sep 11, 2019 at 10:09 PM Jeremy Rowley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > This means, for example, that (i) a CA must provide

RE: DigiCert OCSP services returns 1 byte

la-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte > On 12 Sep 2019, at 18:46, Jeremy Rowley via dev-security-policy > wrote: > > The language says you have to provide the response for the cert as if it > exists, but the reality is

RE: DigiCert OCSP services returns 1 byte

curity-policy On > Behalf Of Jeremy Rowley via dev-security-policy > Sent: Thursday, September 12, 2019 1:46 PM > To: Alex Cohn > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Wayne Thayer > > Subject: RE: DigiCert OCSP services returns 1 byte > > The lan

Re: DigiCert OCSP services returns 1 byte

> On 12 Sep 2019, at 18:46, Jeremy Rowley via dev-security-policy > wrote: > > The language says you have to provide the response for the cert as if it > exists, but the reality is that sending a response for the precert is the > same as calculating the result for the certificate as if it

RE: DigiCert OCSP services returns 1 byte

, 2019 9:25 AM To: Jeremy Rowley Cc: Wayne Thayer ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte On Wed, Sep 11, 2019 at 10:09 PM Jeremy Rowley via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> wrote: This means, for e

Re: DigiCert OCSP services returns 1 byte

On Wed, Sep 11, 2019 at 10:09 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This means, for example, that (i) a CA must provide OCSP services and > responses in accordance with the Mozilla policy for all pre-certificates as > if corresponding

Re: DigiCert OCSP services returns 1 byte

v-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte Correct. That's what I intended to convey with the last sentence: This means, for example, that the requirements for OCSP for end-entity certificates apply even when a CA has issued a precertificate witho

Re: DigiCert OCSP services returns 1 byte

cy > On Behalf Of Wayne Thayer via dev-security-policy > Sent: Wednesday, September 11, 2019 7:08 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: DigiCert OCSP services returns 1 byte > > Mozilla has, to-date, not published policies related to Certific

RE: DigiCert OCSP services returns 1 byte

lla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte Mozilla has, to-date, not published policies related to Certificate Transparency, but this is a case where a clarification would be helpful. I propose adding the following language to our "Required Practices&quo

Re: DigiCert OCSP services returns 1 byte

> an AIA in the certificate. Pre-certs are end-entity certificates. > > Jeremy > > -Original Message- > From: dev-security-policy > On Behalf Of Jeremy Rowley via dev-security-policy > Sent: Thursday, August 29, 2019 11:55 AM > To: Peter Bowen ; Ryan Sleevi > Cc:

RE: DigiCert OCSP services returns 1 byte

: Thursday, August 29, 2019 11:55 AM To: Peter Bowen ; Ryan Sleevi Cc: Curt Spann ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte Yes. That was the point of my post. There is a requirement fo return an ocsp repsonse for a pre cert where the cert has

Re: DigiCert OCSP services returns 1 byte

a posion extension) exists. From: Peter Bowen Sent: Thursday, August 29, 2019 11:44:11 AM To: Ryan Sleevi Cc: Jeremy Rowley ; Curt Spann ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert OCSP services returns 1 byte On Thu, Aug 29, 2019 at 10

Re: DigiCert OCSP services returns 1 byte

OCSP services returns 1 byte To: Jeremy Rowley Cc: Curt Spann, mozilla-dev-security-pol...@lists.mozilla.org On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> wrote: Thanks for posting this Curt. We investigated and

Re: DigiCert OCSP services returns 1 byte

On Thu, Aug 29, 2019 at 10:38 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Thanks for posting this Curt. We investigated and

Re: DigiCert OCSP services returns 1 byte

On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks for posting this Curt. We investigated and posted an incident > report on Bugzilla. The root cause was related to pre-certs and an error in > generating certificates for

RE: DigiCert OCSP services returns 1 byte

Thanks for posting this Curt. We investigated and posted an incident report on Bugzilla. The root cause was related to pre-certs and an error in generating certificates for them. We're fixing the issue (should be done shortly). I figured it'd be good to document here why pre-certs fall under

RE: DigiCert OCSP services returns 1 byte

...@lists.mozilla.org; Curt Spann Subject: Re: DigiCert OCSP services returns 1 byte Curt Spann via dev-security-policy writes: >I created the following bug: >https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 Maybe it's an implementation of OCSP SuperDietLite, 1 = revoked, 0 = not r

Re: DigiCert OCSP services returns 1 byte

Curt Spann via dev-security-policy writes: >I created the following bug: >https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 Maybe it's an implementation of OCSP SuperDietLite, 1 = revoked, 0 = not revoked. In terms of it being unsigned, you can get the same effect by setting respStatus =