| Tweetovi |
|
Rob Stradling
@_robstr
|
29. sij |
|
Cache/latency wasn't the problem in this particular case.
@jameshartig already acknowledged that the CAA record was not added until after we'd performed the CAA checks. Since the certificate request was then abandoned, we didn't retry the CAA checks after the record was added.
|
||
|
|
||
|
Rob Stradling
@_robstr
|
28. sij |
|
I can't tell if the Support agent misunderstood you, or if they misunderstood this detail of the CAA algorithm. I can tell you (as co-author of the CAA RFC and author of Sectigo's CAA checker code) that our CAA checker would not be affected by any such misunderstandings.
|
||
|
|
||
|
Rob Stradling
@_robstr
|
28. sij |
|
lol
|
||
|
|
||
|
Rob Stradling
@_robstr
|
28. sij |
|
We'll reply fully via cabfquest, since you've also enquired there.
Quick summary: We are following CAA resolution correctly. When we performed a CAA check for dev.owlsr.us at 2020-01-27 16:05:31 UTC, the response was an empty CAA RRset.
|
||
|
|
||
|
Rob Stradling
@_robstr
|
27. sij |
|
I suspect that there are many more than two CAs compliant with SC17. (Hint: Not issuing PSD2 certs is one way to comply. :-) )
|
||
|
|
||
|
Rob Stradling
@_robstr
|
20. sij |
|
|
||
|
Rob Stradling
@_robstr
|
20. sij |
|
IINM, including the tag/length in {{subjectKeyId}} doesn't work with Censys either.
|
||
|
|
||
|
Rob Stradling
@_robstr
|
20. sij |
|
It seems odd that {{subjectKeyId}} includes the tag/length but {{authKeyId}} omits the tag/length.
|
||
|
|
||
|
Rob Stradling
@_robstr
|
20. sij |
|
Thanks. crt.sh now uses SubjectKeyIdSiblingsLink for ?pv= searches, but the links don't actually work due to the 2-byte ("04nn") OCTET STRING tag/length being present in {{subjectKeyId}}.
|
||
|
|
||
|
Rob Stradling
@_robstr
|
18. sij |
|
I've added IssuerDNLink, AuthKeyIdParentLink and SubjectKeyIdParentLink to crt.sh's ?pv= pages.
I think I actually need a "SubjectKeyIdSiblingsLink" though.
Also, does {{subjectKeyId}} have to include the 2-byte ("04nn") OCTET STRING tag/length?
|
||
|
|
||
|
Rob Stradling
@_robstr
|
12. sij |
|
It was a welcome half hour distraction for a Friday afternoon :-)
|
||
|
|
||
|
Rob Stradling
@_robstr
|
10. sij |
|
Yeah, why not...
crt.sh/?pv=139646520
:-)
|
||
|
|
||
|
Rob Stradling
@_robstr
|
8. sij |
|
Thanks! Fixed. (Sorry about that...I had been frantically tweaking some pain points that only became apparent when the new crt.sh site started receiving significant traffic).
|
||
|
|
||
|
Rob Stradling
@_robstr
|
8. sij |
|
It has now. crt.sh/forum?place=ms…
|
||
|
|
||
|
Rob Stradling
@_robstr
|
8. sij |
|
crt.sh is back again. crt.sh/forum?place=ms…
|
||
|
|
||
|
Rob Stradling
@_robstr
|
8. sij |
|
It's LIVE! crt.sh/forum?place=ms…
|
||
|
|
||
|
Rob Stradling
@_robstr
|
3. sij |
|
The new crt.sh system is nearly fully ready. I expect we'll switch the A/AAAA records to point to it early-ish next week.
|
||
|
|
||
|
Rob Stradling
@_robstr
|
28. pro |
|
Thanks! And to you!
|
||
|
|
||
|
Rob Stradling
@_robstr
|
9. pro |
|
Making progress. crt.sh/forum?place=ms…
|
||
|
|
||
|
Rob Stradling
@_robstr
|
3. pro |
|
PostgreSQL doesn't have a uint32 datatype.
The new database setup is nearly finished.
|
||
|
|
||