Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Ryan Sleevi via dev-security-policy
On Wed, Sep 4, 2019 at 9:47 AM Peter Mate, Erdosi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > My question is the following: is it allowed to issue an OCSP Responder > certificate with "id-kp-OCSPSigning" EKU from a technically constrained CA > if the

Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Ryan Sleevi via dev-security-policy
On Wed, Sep 4, 2019 at 11:06 AM Ben Wilson wrote: > I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder > certificate itself (not the CA that issues the OCSP responder certificate). > I don't think I've encountered a problem before, but I guess it would > depend > on the

RE: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Ben Wilson via dev-security-policy
I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder certificate itself (not the CA that issues the OCSP responder certificate). I don't think I've encountered a problem before, but I guess it would depend on the implementation? -Original Message- From:

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Tue, Sep 03, 2019 at 06:16:23PM -0700, Kirk Hall via dev-security-policy wrote: > However, I did receive authority to post the following statement from > someone who works for a major browser phishing filter (but without > disclosing the person's name or company). Here is the authorized >

Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Peter Mate, Erdosi via dev-security-policy
Dear list, I have a question about the issuance of the OCSP responder certificates in case of technically constrained CAs. I apologize for the long introduction, but this may be an important audit question in the (near) future. --- BEGIN INTRO --- I would like to cite five points from the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Kurt Roeckx via dev-security-policy
On 2019-09-04 14:14, Matt Palmer wrote: If EV information is of use in anti-phishing efforts, then it would be best for the providers of anti-phishing services to team up with CAs to describe the advantages of continuing to provide an EV certificate. If site owners, who are presumably smart

Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Jakob Bohm via dev-security-policy
On 04/09/2019 17:14, Ryan Sleevi wrote: > On Wed, Sep 4, 2019 at 11:06 AM Ben Wilson wrote: > >> I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder >> certificate itself (not the CA that issues the OCSP responder certificate). >> I don't think I've encountered a problem

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Wed, Sep 04, 2019 at 03:50:40PM +0200, Kurt Roeckx via dev-security-policy wrote: > On 2019-09-04 14:14, Matt Palmer wrote: > > If EV information is of use in anti-phishing efforts, then it would be best > > for the providers of anti-phishing services to team up with CAs to describe > > the