<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 29, 2014 at 3:12 PM, Eddy Nigg <span dir="ltr"><<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<br>
<div>On 10/29/2014 08:50 PM,
<a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a> wrote:<br>
</div>
<blockquote type="cite">
<div><span style="font-size:11pt;font-family:Calibri,sans-serif">I
agree that browsers and apps will make their own judgments
about when a case of BR non-compliance is serious enough to
warrant a UI warning, and when it can be ignored. I would
just offer my opinion that lack of CDP and AIA data in a cert
(whether or not Chrome wants to check that information in the
client) is a fundamental certificate flaw that renders the
cert inherently untrustworthy, and it should automatically be
rejected by applications (just as expired certs, etc. are now
automatically rejected). But that’s just my opinion.<u></u><u></u></span></div>
</blockquote>
<br></span>
Considering that CAs were required to modify the OCSP responders to
include Good, Revoked and <b>Unknown</b> upon request of the
browsers mostly (I believe Google was a strong supporter of that),
it's rather confusing to know that browsers entirely ignore it if
the certificates have no OCSP (and CRL) pointers, not speaking about
checking this information when available. </div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
So what does it matter if Diginotar knew or didn't knew which
certificates were issued if this information wouldn't be used
anyway? <br></div></blockquote><div><br></div><div>OCSP stapling. And OCSP Must-Staple. </div></div></div></div>