[Fwd: Re: amsl.com certificate?]

FYI. Relevant to the proper handling of OCSP unavailable
error cases.
S.

Forwarded message 1

  • From: Geoff Huston <gih@apnic.net>
  • Date: Thu, 21 Feb 2008 13:24:00 +1100
  • Subject: Re: amsl.com certificate?
  • To: Alexa Morris <amorris@amsl.com>
  • Cc: Iljitsch van Beijnum <iljitsch@muada.com>, IETF discussion list <ietf@ietf.org>, James Galvin <galvin+ietf@elistx.com>
  • Message-ID: <47BCE0C0.103@apnic.net> 
The default setting in Firefox (and possibly safari) is to use OCSP for 
validation of certificates where OCSP is referenced. The *.ietf.org 
certificate has as part of the Authority Information Field the value; 
OCSP: URI: http://ocsp.starfieldtech.com

This url is unreachable from many non-US sites, for reasons known only 
to Godaddy I presume.

The pragmatic workaround in firefox is to set the option to not using 
OCSP for certificate validation.

Geoff







Alexa Morris wrote:
> As soon as the SSL problem was reported, AMS performed additional testing on
> many different computers. However, we were unable to duplicate this problem.
> If someone else experiences this issue and is concerned, please send an
> email ietf-action@ietf.org. Alternatively, please feel free to contact me
> directly at any time.
> 
> Regards,
> Alexa
> 
> 
> -----------
> Alexa Morris / Executive Director / IETF
> 48377 Fremont Blvd., Suite 117, Fremont, CA  94538
> Phone: +1.510.492.4089 / Fax: +1.510.492.4001
> Email: amorris@amsl.com
> 
> Managed by Association Management Solutions (AMS)
> Forum Management, Meeting and Event Planning
> www.amsl.com <http://www.amsl.com/>
> 
> 
> On 2/20/08 10:45 AM, "James Galvin" <galvin+ietf@elistx.com> wrote:
> 
>> AMS obtains certificates for their clients from Starfield
>> Technologies:
>>
>>     <http://www.starfieldtech.com/>
>>
>> Do you have a concern about this choice or is your concern about
>> the fact that your browser didn't accept the certificate by default?
>>
>> If you have a concern about this choice it would help if you could
>> be specific about what that is.  Their web site seems pretty
>> complete to me so any one of us could "check them out."  I think we
>> need to trust AMS to make a good choice unless we can identify an
>> issue.
>>
>> As far your browser not accepting the certificate, I'm sure you
>> realize there a lot of reasons that could happen including the
>> latest version of Safari "missing" a particular root certificate.
>>
>> Jim
>>
>>
>>
>>
>>
>> -- On Wednesday, February 20, 2008 6:04 PM +0100 Iljitsch van
>> Beijnum <iljitsch@muada.com> wrote regarding amsl.com certificate?
>> --
>>
>>> I just registered for IETF-71 and tried to pay. I wasn't bothered
>>> too   much when I got an SSL warning for the former, but I
>>> hesitate to   proceed with the latter, which is also under the
>>> amsl.com domain.
>>>
>>> My browser (the latest version of Safari on the Mac) complains
>>> that   the issuer of the certificate is untrusted. That would be
>>> Starfield   Secure Certification Authority.
>>>
>>> Is this a CA in good standing that we should trust?
>>>
>>> Iljitsch
>> _______________________________________________
>> Ietf mailing list
>> Ietf@ietf.org
>> http://www.ietf.org/mailman/listinfo/ietf
>>
> 
> 
> _______________________________________________
> IETF mailing list
> IETF@ietf.org
> http://www.ietf.org/mailman/listinfo/ietf
> 
_______________________________________________
IETF mailing list
IETF@ietf.org
http://www.ietf.org/mailman/listinfo/ietf

Received on Thursday, 21 February 2008 09:48:28 UTC