[cabfpub] Pre-Ballot - Short-Life Certificates

Ryan Sleevi sleevi at google.com
Wed Oct 29 16:29:02 MST 2014


On Wed, Oct 29, 2014 at 4:24 PM, Eddy Nigg <eddy_nigg at startcom.org> wrote:

>
> On 10/30/2014 12:24 AM, Ryan Sleevi wrote:
>
>
>
> On Wed, Oct 29, 2014 at 3:12 PM, Eddy Nigg <eddy_nigg at startcom.org> wrote:
>
>>
>> On 10/29/2014 08:50 PM, kirk_hall at trendmicro.com wrote:
>>
>> I agree that browsers and apps will make their own judgments about when a
>> case of BR non-compliance is serious enough to warrant a UI warning, and
>> when it can be ignored.  I would just offer my opinion that lack of CDP and
>> AIA data in a cert (whether or not Chrome wants to check that information
>> in the client) is a fundamental certificate flaw that renders the cert
>> inherently untrustworthy, and it should automatically be rejected by
>> applications (just as expired certs, etc. are now automatically rejected).
>> But that’s just my opinion.
>>
>>
>>  Considering that CAs were required to modify the OCSP responders to
>> include Good, Revoked and *Unknown* upon request of the browsers mostly
>> (I believe Google was a strong supporter of that), it's rather confusing to
>> know that browsers entirely ignore it if the certificates have no OCSP (and
>> CRL) pointers, not speaking about checking this information when available.
>>
>
>> So what does it matter if Diginotar knew or didn't knew which
>> certificates were issued if this information wouldn't be used anyway?
>>
>
>  OCSP stapling. And OCSP Must-Staple.
>
>
> If Chrome gets a stapled response it, it honors it?
>

Correct


> But if there is no stapled response it will not check with the responder?
>

Correct


> And if there is neither it will not complain either?
>

Mod EV (in which case, you don't get EV badging if there is neither a
stapled response, nor is the CA covered by CRLSets, nor is there responder
configured that we talked to and got a positive status for)


>
> Sorry, still confused (I'm sure other browsers will handle it yet
> differently, but since you are here I'm asking).
>

Firefox also honors stapled OCSP responses (for all certs) without actively
checking with responders, and has effectively the same EV behaviour as
Chrome, mod CRLSets.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141029/c018719d/attachment.html 


More information about the Public mailing list