[cabfpub] subscriber certificate issued by Let´s encrypt

Rob Stradling rob.stradling at comodo.com
Wed Feb 10 12:45:54 UTC 2016


On 10/02/16 12:31, "Barreira Iglesias, Iñigo" wrote:
> Then, we should move the OCSP stuff before the "... extensions MAY ..."

Good point.

Incidentally, there was talk of a "profile cleanup ballot" recently [1]. 
  :-)


[1] https://cabforum.org/pipermail/public/2016-January/006601.html

> Iñigo Barreira
> Responsable del Área técnica
> i-barreira at izenpe.eus
> 945067705
>
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
>
>
> -----Mensaje original-----
> De: Rob Stradling [mailto:rob.stradling at comodo.com]
> Enviado el: miércoles, 10 de febrero de 2016 13:28
> Para: Barreira Iglesias, Iñigo; public at cabforum.org
> Asunto: Re: [cabfpub] subscriber certificate issued by Let´s encrypt
>
> OCSP is a MUST for all Subscriber Certificates.  Either the CA needs to include "the HTTP URL of the Issuing CA's OCSP responder (accessMethod=1.3.6.1.5.5.7.48.1)" in the AIA extension, or the Subscriber needs to do OCSP Stapling.  Or both.
>
> On 10/02/16 11:59, "Barreira Iglesias, Iñigo" wrote:
>> Ups, yes, didn´t see it :-(
>>
>> But, in any case, my question is if OCSP is a must or not taking into account that the section also says that the following extensions (OCSP, CRL, ...) may be present. Or only when not stapled?
>>
>>
>> Iñigo Barreira
>> Responsable del Área técnica
>> i-barreira at izenpe.eus
>> 945067705
>>
>>
>>
>> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
>> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
>>
>> -----Mensaje original-----
>> De: Rob Stradling [mailto:rob.stradling at comodo.com] Enviado el:
>> miércoles, 10 de febrero de 2016 12:54
>> Para: Barreira Iglesias, Iñigo; public at cabforum.org
>> Asunto: Re: [cabfpub] subscriber certificate issued by Let´s encrypt
>>
>> Hi Iñigo.
>>
>> That site's cert _does_ have an OCSP URL.
>>
>> https://crt.sh/?id=12605895
>>
>> On 10/02/16 11:50, "Barreira Iglesias, Iñigo" wrote:
>>> Hi,
>>>
>>> I´ve been looking at this site https://www.soroa.org and checking
>>> with the latest BR 1.3.3 have some doubts.
>>>
>>> This cert is only for 3 months, which is ok, but it has no OCSP info
>>> nor CRL (I recall this having one of the issues when debating the
>>> short lived certificates in which there was no agreement if I´m not
>>> wrong). In BR 7.1.2.3 section, it says that OCSP is a must but in the
>>> same section, at the beginning it says “the following extensions MAY
>>> be present” so not sure to understand if the OSCP must be present or not if not stapled.
>>>
>>> OTOH I haven´t gone further on the checking of the cert, but see that
>>> the root is 1K and SHA1 but is before the effective date so no
>>> problem there, but if someone want to go deep, do it J
>>>
>>> Thanks
>>>
>>> *Iñigo Barreira*

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online




More information about the Public mailing list