On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 8, 2017, at 10:29, identrust--- via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > On Monday, August 7, 2017 at 4:47:39 PM UTC-4, Jonathan Rudenberg wrote: > >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder > >> URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI > >> is required to have the plaintext HTTP scheme according to Baseline > >> Requirements section 7.1.2.2(c). > >> > >> Here’s the list of certificates: https://misissued.com/batch/4/ > >> > >> Jonathan > > > > IdenTrust had previously interpreted HTTP to be inclusive of HTTPS in this > > context. That being said, we have altered our profiles for certificates > > issued under this Sub CA to include only HTTP OCSP URLs. All certificates > > issued going forward will contain an HTTP OCSP URL. We will also examine > > all > > other sub CA to ensure only HTTP OCSP URLs are included. Thank you for > > giving > > us an opportunity to address this with the community > > Thanks for the update. > > Can you also clarify why the subject organizationName is "U.S. Government” > for all of these certificates, despite the other subject fields indicating > organizations that are not a component of the US Government? > > Jonathan
Yes, IdenTrust ACES SSL Certificates are issued in accordance with the ACES certificate policy defined by U.S. General Service Administration (http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/documents/ACES-CP-v3-2_signed_05122017.pdf) and the GSA approved IdenTrust CPS (https://secure.identrust.com/certificates/policy/aces/IdenTrust_ACES_CPS_v5.1_20161110.pdf) These ACES SSL certificates are issued to either U.S. Government agencies and/or their sub-contractors in support of government programs\projects. The CP requires an approved CA, such as IdenTrust, to identify U.S. Government in subject organizationName along with other applicable organizations (e.g. sub-contractors, or local government agency, etc...). _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy