<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 29, 2014 at 4:24 PM, Eddy Nigg <span dir="ltr"><<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<br>
<div>On 10/30/2014 12:24 AM, Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Oct 29, 2014 at 3:12 PM, Eddy
Nigg <span dir="ltr"><<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span> <br>
<div>On 10/29/2014 08:50 PM, <a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a>
wrote:<br>
</div>
<blockquote type="cite">
<div><span style="font-size:11pt;font-family:Calibri,sans-serif">I
agree that browsers and apps will make their own
judgments about when a case of BR non-compliance
is serious enough to warrant a UI warning, and
when it can be ignored. I would just offer my
opinion that lack of CDP and AIA data in a cert
(whether or not Chrome wants to check that
information in the client) is a fundamental
certificate flaw that renders the cert
inherently untrustworthy, and it should
automatically be rejected by applications (just
as expired certs, etc. are now automatically
rejected). But that’s just my opinion.</span></div>
</blockquote>
<br>
</span> Considering that CAs were required to modify the
OCSP responders to include Good, Revoked and <b>Unknown</b>
upon request of the browsers mostly (I believe Google
was a strong supporter of that), it's rather confusing
to know that browsers entirely ignore it if the
certificates have no OCSP (and CRL) pointers, not
speaking about checking this information when
available. </div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
So what does it matter if Diginotar knew or didn't knew
which certificates were issued if this information
wouldn't be used anyway? <br>
</div>
</blockquote>
<div><br>
</div>
<div>OCSP stapling. And OCSP Must-Staple. <br>
</div>
</div>
</div>
</div>
</blockquote>
<br></div></div>
If Chrome gets a stapled response it, it honors it?</div></blockquote><div><br></div><div>Correct</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"> But if there is
no stapled response it will not check with the responder?</div></blockquote><div><br></div><div>Correct</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"> And if
there is neither it will not complain either?<br></div></blockquote><div><br></div><div>Mod EV (in which case, you don't get EV badging if there is neither a stapled response, nor is the CA covered by CRLSets, nor is there responder configured that we talked to and got a positive status for)</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
Sorry, still confused (I'm sure other browsers will handle it yet
differently, but since you are here I'm asking).</div></blockquote><div><br></div><div>Firefox also honors stapled OCSP responses (for all certs) without actively checking with responders, and has effectively the same EV behaviour as Chrome, mod CRLSets.</div></div></div></div>