<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/30/2014 12:24 AM, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvYavFD-S0E7kmuB+=ToZZhsF4jgN8iP6R0hfW4goWovrw@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Oct 29, 2014 at 3:12 PM, Eddy
Nigg <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class=""> <br>
<div>On 10/29/2014 08:50 PM, <a
moz-do-not-send="true"
href="mailto:kirk_hall@trendmicro.com"
target="_blank">kirk_hall@trendmicro.com</a>
wrote:<br>
</div>
<blockquote type="cite">
<div><span
style="font-size:11pt;font-family:Calibri,sans-serif">I
agree that browsers and apps will make their own
judgments about when a case of BR non-compliance
is serious enough to warrant a UI warning, and
when it can be ignored. I would just offer my
opinion that lack of CDP and AIA data in a cert
(whether or not Chrome wants to check that
information in the client) is a fundamental
certificate flaw that renders the cert
inherently untrustworthy, and it should
automatically be rejected by applications (just
as expired certs, etc. are now automatically
rejected). But that’s just my opinion.</span></div>
</blockquote>
<br>
</span> Considering that CAs were required to modify the
OCSP responders to include Good, Revoked and <b>Unknown</b>
upon request of the browsers mostly (I believe Google
was a strong supporter of that), it's rather confusing
to know that browsers entirely ignore it if the
certificates have no OCSP (and CRL) pointers, not
speaking about checking this information when
available. </div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
So what does it matter if Diginotar knew or didn't knew
which certificates were issued if this information
wouldn't be used anyway? <br>
</div>
</blockquote>
<div><br>
</div>
<div>OCSP stapling. And OCSP Must-Staple. <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
If Chrome gets a stapled response it, it honors it? But if there is
no stapled response it will not check with the responder? And if
there is neither it will not complain either?<br>
<br>
Sorry, still confused (I'm sure other browsers will handle it yet
differently, but since you are here I'm asking).<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>