Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-05-01 Thread Clint Wilson via Servercert-wg
I did a quick check, but was only able to find one recently issued leaf certificate that contained an https CA Issuers URI. There seems to be about 26 CA certificates that do as well, but all were issued before 2019 except for 2. Of the 1 leaf and 2 CA certificates that are more recent, they’re

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-05-01 Thread Corey Bonnell via Servercert-wg
Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI Hi Dimitris, My understanding is that the intent was indeed to restrict these to HTTP specifically. That is, the phrase “the only URLS present MUST be HTTP URLs” is intended to preclude t

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-05-01 Thread Dimitris Zacharopoulos (HARICA) via Servercert-wg
Thanks Clint, It would help doing some research in CENSYS to see if this is a real problem or not. I will try to get some additional resources internally to help me with this. In any case, this discussion might inspire some of the linting software developers to write a lint expecting only

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-04-30 Thread Clint Wilson via Servercert-wg
Hi Dimitris, My understanding is that the intent was indeed to restrict these to HTTP specifically. That is, the phrase “the only URLS present MUST be HTTP URLs” is intended to preclude the use of HTTPS, and not just to indicate that any scheme which relies on the Hypertext Transfer Protocol

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-04-25 Thread Dimitris Zacharopoulos (HARICA) via Servercert-wg
Hi Ryan, The question is not between HTTP vs FTP vs LDAP but specifically for "HTTP URL" that could have two schemes "http" and "https". RFC 2616 (June 1999) included only "http" and was updated in May 2000 by RFC 2817 to include TLS Within

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-04-25 Thread Sven Rajala via Servercert-wg
] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI It's my understanding that the intent of the updates made in SC-62 were to prohibit any non-HTTP URI. This was discussed in: 1) at least one historical GitHub discussion (referenced in ballot preamble

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-04-25 Thread Ryan Dickson via Servercert-wg
It's my understanding that the intent of the updates made in SC-62 were to prohibit any non-HTTP URI. This was discussed in: 1) at least one historical GitHub discussion (referenced in ballot preamble

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

2024-04-25 Thread Adriano Santoni via Servercert-wg
Hi, IMO, including an HTTPS URI in the *id-ad-caIssuers* accessMethod is at least a bad practice and very unwise (if done on purpose), as it may give rise to unbounded loops, as it is clearly explained in RFC5280: CAs SHOULD NOT include URIs that specify https, ldaps, or similar schemes in