360浏览器根证书计划 Says:
所有的终端用户证书必须:
In english:
All subscribers certs must:
But all let’s encrypt subscriber certs provides no OCSP anymore. I think there must be some one is wrong, 360 CA program, or Let’s encrypt.
LE side didn't do much but 360 browser added it in their trust store 2022 (when LE only had OSCP without CRL)
Thanks for bringing this up. It appears that 360 Browser has not updated their root program requirements in many years, and hasn't kept up with the latest changes both to the Baseline Requirements, and to the policies enforced in code by Chromium (on which 360 Browser is based). We'll follow up with them.
Well, previously no CRL URL was provided within the subscriber certificates, so it seems LE wasn't compliant to begin with?
I know LE started operating CRLs for end user certs at some point, but these URIs weren't actually embedded in the certs until recently, only published on CCADB.
Edit:
According to Add ISRG Root to 360 Browser trust store - #7 by wordlesswind the CRL was never required for end user certs.. Apparently they never bothered changing their requirements, even when confronted with this. #wouldnottrust