Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Chain of Trust] Add OCSP stapled revoked demonstration site #1110

Open
osirisinferi opened this issue Sep 30, 2020 · 6 comments
Open

[Chain of Trust] Add OCSP stapled revoked demonstration site #1110

osirisinferi opened this issue Sep 30, 2020 · 6 comments

Comments

@osirisinferi
Copy link
Contributor

Hi all,

On the Chain of Trust page there are three test sites/test certificates:

We’ve set up websites to test certificates chaining to our active roots.

I thought those demonstration pages were mandatory for some root inclusion programs, but I searched for this demand on the Mozilla Root program page(s), but didn't find such a condition.

In any case, I would like to make a suggestion. As the "Revoked" page already states:

NOTE: Depending on your browser this page may not display as revoked. Not all browsers perform revocation checking.

This is very much true for my Chromium. However, it should check the revocation state if presented by a stapled OCSP response, right?

Wouldn't it be nice to have the following list:

We’ve set up websites to test certificates chaining to our active roots.

Any thoughts?
@bdaehlie
Copy link
Collaborator

The requirement to host valid/revoked/expired test page is in Section 2.2 of the CA/B Forum Baseline Requirements.

I'm not opposed to setting up a revoked test site that staples but our SRE team would have to do it and they likely will not have time soon. A good suggestion though.

@osirisinferi
Copy link
Contributor Author

@bdaehlie If I read the BR correctly (thanks!), Let's Encrypt is required to put up "test Web pages" for "ISRG Root X2" too before that root can be included. (Although I know there will be a "ISRG Root X2" signed by "ISRG Root X1" too which probably wouldn't need the test pages.)

@bdaehlie
Copy link
Collaborator

We will need to set up test sites for ISRG Root X2 before we apply to have it included in root programs. That's why we haven't applied yet.

One of our operating principles is that we do not set up specialized systems for issuing end-entity certificates internally. If we issue an end-entity certificate we issue it the same way everyone else does - through our public ACME API. We need to finish some work to allow us to issue from ISRG Root X2 via boulder/ACME before we can issue the certificates for the test sites. Once that is done we will set up the test sites.

@osirisinferi
Copy link
Contributor Author

It looks like the Root X2-pages are up since March 24th!

Any thought about implementing an OCSP stapled variant of the revoked cert site?

@jprenken
Copy link
Contributor

This remains in our backlog for now. Most stapling implementations out there (very reasonably) won't cache or serve non-valid responses, so we'll need to tweak or re-implement.

@osirisinferi
Copy link
Contributor Author

Well, that's not a "no"! 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bdaehlie @jprenken @osirisinferi