[Chain of Trust] Add OCSP stapled revoked demonstration site

[osirisinferi]

Hi all,

On the Chain of Trust page there are three test sites/test certificates:

We’ve set up websites to test certificates chaining to our active roots.

• ISRG Root X1
  • Valid
  • Revoked
  • Expired

I thought those demonstration pages were mandatory for some root inclusion programs, but I searched for this demand on the Mozilla Root program page(s), but didn't find such a condition.

In any case, I would like to make a suggestion. As the "Revoked" page already states:

NOTE: Depending on your browser this page may not display as revoked. Not all browsers perform revocation checking.

This is very much true for my Chromium. However, it should check the revocation state if presented by a stapled OCSP response, right?

Wouldn't it be nice to have the following list:

We’ve set up websites to test certificates chaining to our active roots.

• ISRG Root X1
  • Valid
  • Revoked (without OCSP stapling)
  • Revoked (with OCSP stapling)
  • Expired

Any thoughts?

[bdaehlie]

The requirement to host valid/revoked/expired test page is in Section 2.2 of the CA/B Forum Baseline Requirements.

I'm not opposed to setting up a revoked test site that staples but our SRE team would have to do it and they likely will not have time soon. A good suggestion though.

[osirisinferi]

@bdaehlie If I read the BR correctly (thanks!), Let's Encrypt is required to put up "test Web pages" for "ISRG Root X2" too before that root can be included. (Although I know there will be a "ISRG Root X2" signed by "ISRG Root X1" too which probably wouldn't need the test pages.)

[bdaehlie]

We will need to set up test sites for ISRG Root X2 before we apply to have it included in root programs. That's why we haven't applied yet.

One of our operating principles is that we do not set up specialized systems for issuing end-entity certificates internally. If we issue an end-entity certificate we issue it the same way everyone else does - through our public ACME API. We need to finish some work to allow us to issue from ISRG Root X2 via boulder/ACME before we can issue the certificates for the test sites. Once that is done we will set up the test sites.

[osirisinferi]

It looks like the Root X2-pages are up since March 24th!

Any thought about implementing an OCSP stapled variant of the revoked cert site?

[jprenken]

This remains in our backlog for now. Most stapling implementations out there (very reasonably) won't cache or serve non-valid responses, so we'll need to tweak or re-implement.

[osirisinferi]

Well, that's not a "no"! :smiley: