Re: Intent to Ship: Move Extended Validation Information out of the URL bar

Kirk Hall via dev-security-policy writes: >does GSB use any EV certificate identity data in its phishing algorithms. Another way to think about this this is to look at it from the criminals' perspective: What's the value to criminals? To use a silly example, the value to criminals of an

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

Obviously I think good is the best answer based on my previous posts. A precert is still a cert. But I can see how people could disagree with me. From: dev-security-policy on behalf of Jeremy Rowley via dev-security-policy Sent: Saturday, August 31, 2019

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

I dont recall the cab forum ever contemplating or discussing ocsp for precertificates. The requirement to provide responses is pretty clear, but what that response should be is a little confusing imo. From: dev-security-policy on behalf of Tomas Gustavsson via

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

On Saturday, August 31, 2019 at 3:13:00 PM UTC+2, Jeremy Rowley wrote: > >From RFC6962: > > “As above, the Precertificate submission MUST be accompanied by the > Precertificate Signing Certificate, if used, and all additional certificates > required to verify the chain up to an accepted root

RE: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

You’re right. It could be any of the responses under RFC 6960. From: Alex Cohn Sent: Friday, August 30, 2019 7:22 PM To: Jeremy Rowley Cc: Jacob Hoffman-Andrews ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for

RE: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

The best way to codify it is at the CAB forum since the CAB Forum language is the one that causes the problem (imo). We made a mistake by defining a precertificate as “not a certificate” when the intent was mostly to allow CAs to issue precertificates that had serial numbers duplicative with

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

>From RFC6962: “As above, the Precertificate submission MUST be accompanied by the Precertificate Signing Certificate, if used, and all additional certificates required to verify the chain up to an accepted root certificate. The signature on the TBSCertificate indicates the certificate

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

Hi, I find and hear a few non conclusive, sometimes contradictory, messages about OCSP responder handling of pre-certificates without final certificates. Reading this thread I don't find a firm conclusion either (albeit I may have missed it). I'm not saying anything others have not said before,