The CPS has been updated, yes.
CP: ."id-kp-emailProtection [RFC5280] maybe present. Other values shouldnotbe present"
Is this an hint that there maybe come s/mime certificates too ? 
And an typo on the head of page 62:
âCurve P-521â âansip384r1 ::= { iso(1) identified-organization(3) certicom(132) curve(0) 35 }â
Don't think you can say anything about that. That text isn't new and was already incuded in the first CP of 2015.
Now suche.org works but I had to manually delete old HPKP to see it workingâŚ
You should double check your HPKP configuration.
depends on whether you are even able to do that in the first place, epending on your browser.
remember that (sadly) HSTS and HPKP is nothing the user can circumvent
And how can I create a CSR with the Must-Staple extension?
With OpenSSL?
(Is a special OpenSSL version required for this? If so, what is the minimum version where it works?)
See this post on how to create a CSR (also see here for a full CSR example).
â1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05â is the part you need to add to the âreq_extensionsâ section (you need to type â1.3.6.1.5.5.7.1.24â for older openssl versions since the option âtlsfeature=status_requestâ is not mapped yet automatically).
But beware when you use this for other services despite web servers, e.g. postfix and dovecot do not support ocp stapling, but e.g. Thunderbird checks whether a stapled response is included.
2 Likes
If you use the official client: since 0.7.0 thereâs a new switch: --must-staple
BTW: Do you know any testing tool, which shows whether OCSP Must-Staple is used/working?
I donât know any tools, but you can check if the certificate has the must staple attribute. And just after installing the certificate, the first request will probably not be staple, so should failed with Firefox.
1 Like
Interesting. This is exactly what it did.
Additionally you can also see it in the certificate details view of Firefox under Certificate -> Extensions. There is an "object identifier" 1 3 6 1 5 5 7 1 24 with the content 30 03 02 01 05. That's what you've set in the OpenSSL config file.
BTW: You can also see this in the certificate transparency log.
1 Like
This behaviour (first request fails due to lack of OCSP staple) is a defect in the web server. Make sure to complain to the people who wrote it and donât take âitâs supposed to do thatâ for an answer. Imagine if they said âItâs supposed to do thatâ for giving a 404 on every tenth URL access. Lazy is what it is.
What web servers with OCSP-stapling turned on should do is spin up, notice they have one or more SSL certificates and check a permanent (e.g. disk) cache to find a response for each cert. Do they have a new enough OCSP response cached? If so, start serving that immediately. Otherwise, spin up a sub-routine to fetch a new OCSP response.
Apacheâs current attempt is pretty feeble. They have no permanent cache, if you stop Apache to patch something, when you restart it their OCSP âcacheâ is empty and youâll get empty results for a while. Thatâs the sort of thing youâd expect in some âproof of conceptâ demo, not a real web server. Responsible people arenât going to be able to turn on OCSP-Must-Staple for an Apache server until they do a much better job of this and that starts with feedback.
1 Like
In my case I could reproduce it with nginx 1.10.0.
But I found a guide with some workarounds:
https://unmitigatedrisk.com/?p=241
1 Like
Just for information, in Firefox, an certificate with Must-staple seams to breaks HPKP ( see Bug 1278041 )
1 Like
Hi, now i also see it in the console log.
- It is interesting that an HPKP error does not cause an visible security alert.
- SSL-Errors should normally be reported. But this is also not triggered.
- SSL-Labs see no error on the page.
- When an HPKP header is ignored, it doesnât cause a visible security alert, and the consequence of the bug is that HPKP is ignored.
- As the header is ignored, no reportâŚ
- The header is correct, so no error to show !
1 Like