On 21 feb 2008, at 3:24, Geoff Huston wrote:
The default setting in Firefox (and possibly safari) is to use OCSP
for
validation of certificates where OCSP is referenced. The *.ietf.org
certificate has as part of the Authority Information Field the value;
OCSP: URI: http://ocsp.starfieldtech.com
This url is unreachable from many non-US sites, for reasons known only
to Godaddy I presume.
Or Akamai. It turns out that I get different addresses for this FQDN
depending whether I'm at home or at work, see traceroutes. (#include
<stdanycastisevil.h>) At home, everything works in both Safari and
Firefox on the Mac, at work it doesn't, even though I can open this
URL. Also tried with the ancient Internet Explorer for Mac and with
IE and Firefox on Windows XP, those don't seem to be bothered in the
same way as Safari and Firefox under MacOS.
Currently, Safari tells me that certificate with SHA-1 fingerprint 9F
B6 01 FE 68 40 BB F6 6F 55 06 28 7C 42 15 01 38 0A CA 66 is signed by
an unknown authority. I can't copy/paste the details and they don't
show any areas that seem problematic to my untrained eye.
$ traceroute ocsp.starfieldtech.com
traceroute: Warning: ocsp.starfieldtech.com has multiple addresses;
using 68.178.232.168
traceroute to balance.godaddy.com.akadns.net (68.178.232.168), 64 hops
max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 2.953 ms 1.308 ms 1.660 ms
2 static-1-138-7-89.ipcom.comunitel.net (89.7.138.1) 7.799 ms
7.567 ms 10.979 ms
3 10.4.0.169 (10.4.0.169) 9.968 ms 9.400 ms 8.730 ms
4 212.145.3.222 (212.145.3.222) 9.527 ms 10.969 ms 8.733 ms
5 MAD06RI01-Vlan2.ipcom.comunitel.net (212.145.4.76) 8.834 ms
9.536 ms 9.386 ms
6 mad3-core-1.gigabiteth4-0-0s152.swip.net (130.244.218.125)
10.211 ms 9.008 ms 9.280 ms
7 cbv-core-1.pos4-0-0.swip.net (130.244.207.149) 44.177 ms 44.711
ms 46.704 ms
8 cbv1-core-1.gigabiteth1-0-0.swip.net (130.244.206.254) 35.776
ms 35.769 ms 35.839 ms
9 cbv1-core-2.tengigabiteth2-1.swip.net (130.244.49.70) 35.823 ms
35.002 ms 35.085 ms
10 pnias1257-gi-1-8.mpr2.cdg2.fr.above.net (84.207.23.161) 47.905
ms 47.796 ms 51.746 ms
11 so-5-0-0.cr1.lhr3.uk.above.net (64.125.23.13) 57.632 ms
so-4-0-0.cr1.lhr3.uk.above.net (64.125.23.9) 48.694 ms
so-5-0-0.cr1.lhr3.uk.above.net (64.125.23.13) 48.102 ms
12 so-1-0-0.mpr1.lhr2.uk.above.net (64.125.28.38) 50.884 ms 53.369
ms 56.308 ms
13 so-0-1-0.mpr1.dca2.us.above.net (64.125.27.57) 125.341 ms
122.779 ms 126.148 ms
14 so-1-0-0.mpr3.iah1.us.above.net (64.125.29.37) 151.115 ms
150.661 ms 149.343 ms
15 so-1-2-0.mpr2.phx2.us.above.net (64.125.25.10) 173.681 ms
172.848 ms 174.637 ms
16 64.124.113.62.godaddy.com (64.124.113.62) 193.435 ms 196.808 ms
192.744 ms
17 ip-208-109-112-137.ip.secureserver.net (208.109.112.137) 191.233
ms 191.285 ms 191.658 ms
18 ip-208-109-112-161.ip.secureserver.net (208.109.112.161) 193.251
ms 193.847 ms 198.613 ms
19 ip-208-109-112-145.ip.secureserver.net (208.109.112.145) 191.353
ms 191.677 ms 191.336 ms
20 ip-208-109-112-181.ip.secureserver.net (208.109.112.181) 193.680
ms 193.357 ms 191.327 ms
21 *^C
$ traceroute ocsp.starfieldtech.com
traceroute: Warning: ocsp.starfieldtech.com has multiple addresses;
using 66.29.45.240
traceroute to balance.godaddy.com.akadns.net (66.29.45.240), 64 hops
max, 40 byte packets
1 faro.it.uc3m.es (163.117.140.2) 1.643 ms 0.249 ms 0.251 ms
2 rtr-dep-it.uc3m.es (163.117.31.2) 0.524 ms 0.952 ms 0.653 ms
3 163.117.32.25 (163.117.32.25) 0.801 ms 0.765 ms 0.693 ms
4 rtcm-cr1-uc3m.redimadrid.madrimasd.org (193.145.14.22) 1.244 ms
1.182 ms 1.114 ms
5 * XE1-0-0-101.Madrid0.red.rediris.es (130.206.215.65) 1.949 ms
1.550 ms
6 MAD.XE7-0-0.EB-IRIS4.red.rediris.es (130.206.250.21) 1.759 ms
1.658 ms 1.767 ms
7 mad-b1-link.telia.net (213.248.70.249) 1.779 ms 1.951 ms 1.830
ms
8 prs-bb1-link.telia.net (80.91.248.128) 17.996 ms 18.028 ms
18.564 ms
9 nyk-bb1-link.telia.net (80.91.251.96) 92.529 ms 92.341 ms
92.403 ms
10 nyk-b3-link.telia.net (80.91.250.9) 95.496 ms 95.396 ms 95.565 ms
11 netaccess-114875-nyk-b3.c.telia.net (213.248.83.186) 99.456 ms
99.567 ms 99.484 ms
12 0.e1-3.tbr2.tl9.nac.net (209.123.10.74) 99.636 ms 99.424 ms
99.405 ms
13 0.e1-4.tbr2.mmu.nac.net (209.123.10.77) 101.567 ms 101.363 ms
101.724 ms
14 vlan804.esd2.mmu.nac.net (209.123.10.14) 102.063 ms 101.751 ms
107.595 ms
15 0.ge-0-1-0.dar1.mmu.nac.net (209.123.11.110) 101.843 ms 101.508
ms 101.354 ms
16 mail.thecountryclubrich.com (66.29.45.240) 100.244 ms 100.416
ms 100.928 ms
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf