[cabfpub] subscriber certificate issued by Let´s encrypt

Wed Feb 10 12:31:13 UTC 2016

Then, we should move the OCSP stuff before the "... extensions MAY ..."

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus 
945067705

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: Rob Stradling [mailto:rob.stradling at comodo.com] 
Enviado el: miércoles, 10 de febrero de 2016 13:28
Para: Barreira Iglesias, Iñigo; public at cabforum.org
Asunto: Re: [cabfpub] subscriber certificate issued by Let´s encrypt

OCSP is a MUST for all Subscriber Certificates.  Either the CA needs to include "the HTTP URL of the Issuing CA's OCSP responder (accessMethod=1.3.6.1.5.5.7.48.1)" in the AIA extension, or the Subscriber needs to do OCSP Stapling.  Or both.

On 10/02/16 11:59, "Barreira Iglesias, Iñigo" wrote:
> Ups, yes, didn´t see it :-(
>
> But, in any case, my question is if OCSP is a must or not taking into account that the section also says that the following extensions (OCSP, CRL, ...) may be present. Or only when not stapled?
>
>
> Iñigo Barreira
> Responsable del Área técnica
> i-barreira at izenpe.eus
> 945067705
>
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
>
> -----Mensaje original-----
> De: Rob Stradling [mailto:rob.stradling at comodo.com] Enviado el: 
> miércoles, 10 de febrero de 2016 12:54
> Para: Barreira Iglesias, Iñigo; public at cabforum.org
> Asunto: Re: [cabfpub] subscriber certificate issued by Let´s encrypt
>
> Hi Iñigo.
>
> That site's cert _does_ have an OCSP URL.
>
> https://crt.sh/?id=12605895
>
> On 10/02/16 11:50, "Barreira Iglesias, Iñigo" wrote:
>> Hi,
>>
>> I´ve been looking at this site https://www.soroa.org and checking 
>> with the latest BR 1.3.3 have some doubts.
>>
>> This cert is only for 3 months, which is ok, but it has no OCSP info 
>> nor CRL (I recall this having one of the issues when debating the 
>> short lived certificates in which there was no agreement if I´m not 
>> wrong). In BR 7.1.2.3 section, it says that OCSP is a must but in the 
>> same section, at the beginning it says “the following extensions MAY 
>> be present” so not sure to understand if the OSCP must be present or not if not stapled.
>>
>> OTOH I haven´t gone further on the checking of the cert, but see that 
>> the root is 1K and SHA1 but is before the effective date so no 
>> problem there, but if someone want to go deep, do it J
>>
>> Thanks
>>
>> *Iñigo Barreira*
>> Responsable del Área técnica
>> i-barreira at izenpe.eus <mailto:i-barreira at izenpe.eus>
>>
>> 945067705
>>
>> Descripción: firma_email_Izenpe_eus
>>
>> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta 
>> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada 
>> (helbidea gaizki idatzi, transmisioak huts egin) eman abisu 
>> igorleari, korreo honi erantzuna. KONTUZ!
>> ATENCION! Este mensaje contiene informacion privilegiada o 
>> confidencial a la que solo tiene derecho a acceder el destinatario. 
>> Si usted lo recibe por error le agradeceriamos que no hiciera uso de 
>> la informacion y que se pusiese en contacto con el remitente.
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>
> --
> Rob Stradling
> Senior Research & Development Scientist COMODO - Creating Trust Online 
> Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 
> www.comodo.com
>
> COMODO CA Limited, Registered in England No. 04058690 Registered Office:
>     3rd Floor, 26 Office Village, Exchange Quay,
>     Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690 Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.