<div dir="ltr">As I explained, we've explored this in the past, and it's not something we believe is worthwhile nor possible at this time.<div><br></div><div>But this is a bit of a divergence from our topic at hand.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 30, 2014 at 8:48 AM, <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> <span dir="ltr"><<a href="mailto:kirk_hall@trendmicro.com" target="_blank">kirk_hall@trendmicro.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p>This may be too deep for me, but what if browsers followed this logic?<u></u><u></u></p>
<p><u></u> <u></u></p>
<p>Cert issued from (original) trusted root in browser root store (not added by client) => cert must have CDP and AIA to be treated as valid by browser<u></u><u></u></p>
<p><u></u> <u></u></p>
<p class="MsoNormal">Cert NOT issued from (original) trusted root in browser root store (so maybe cert from root added by client) => cert is NOT required to have CDP and AIA to be treated as valid by browser<u></u><u></u></p>
<p><u></u> <u></u></p>
<p><u></u> <u></u></p>
<p><span class="">-----Original Message-----<br>
From: <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] On Behalf Of Gervase Markham<br></span><span class="">
Sent: Thursday, October 30, 2014 6:29 AM<br>
To: Eddy Nigg<br>
Cc: <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
Subject: Re: [cabfpub] Pre-Ballot - Short-Life Certificates</span></p>
<p><u></u> <u></u></p>
<p>On 29/10/14 22:12, Eddy Nigg wrote:<u></u><u></u></p><div><div class="h5">
<p>> Considering that CAs were required to modify the OCSP responders to
<u></u><u></u></p>
<p>> include Good, Revoked and *Unknown* upon request of the browsers
<u></u><u></u></p>
<p>> mostly (I believe Google was a strong supporter of that), it's rather
<u></u><u></u></p>
<p>> confusing to know that browsers entirely ignore it if the certificates
<u></u><u></u></p>
<p>> have no OCSP (and CRL) pointers, not speaking about checking this
<u></u><u></u></p>
<p>> information when available.<u></u><u></u></p>
<p><u></u> <u></u></p>
<p>How do you envisage a browser would know which server to ask about the Certificate Status of a particular certificate, if the certificate did not contain a server pointer?<u></u><u></u></p>
<p><u></u> <u></u></p>
<p>Gerv<u></u><u></u></p>
<p><u></u> <u></u></p>
<p>_______________________________________________<u></u><u></u></p>
<p>Public mailing list<u></u><u></u></p>
<p><a href="mailto:Public@cabforum.org" target="_blank"><span style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><u></u><u></u></p>
<p><a href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/listinfo/public</span></a><u></u><u></u></p>
</div></div></div>
</div>
<table><tbody><tr><td bgcolor="#ffffff"><font color="#000000"><pre><table><tbody><tr><td><pre>TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></tbody></table></pre></font></td></tr></tbody></table>
<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>