On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote: > “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL > that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is > required to have the plaintext HTTP scheme according to Baseline Requirements > section 7.1.2.2(c). > > Here’s the list of certificates: https://misissued.com/batch/4/ > > Jonathan
IdenTrust had previously interpreted HTTP to be inclusive of HTTPS in this context. That being said, we have altered our profiles for certificates issued under this Sub CA to include only HTTP OCSP URLs. All certificates issued going forward will contain an HTTP OCSP URL. We will also examine all other sub CA to ensure only HTTP OCSP URLs are included. Thank you for giving us an opportunity to address this with the community _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
