BrowserList of Trusted CAsorCA 1E-Mail clientCA 2or anyCA 3SSL clientCA 4....CA nDomainRegistry (NIC)(a) Domain holder(b) Administrative contact(c) Technical contact(d) Zone administratorCA 1CA 2CA 3CA nCA 4Web serverCache of fresh vouchersor(refreshed daily)E-Mail serverVoucher from VA 1or anyVoucher from VA 2SSL serverVoucher from VA 3Voucher from VA 4...Voucher from VA nClient: Hello! Let's connect, I support voucher stapling.Give me a voucher from either CA 1, CA 2 or CA 3(which I have randomly selected)Server: (my own cert is from CA 2, VA 3 was offline today)Ok, here is a voucher from CA 1Client: oops, no voucher for MOZ trust context? Bye byeVoucher Authority Server 4operatesVAS 3operatesVAS 2operatesVoucherHas list of trust contextsAuthority- MOZ (decided to distrust CA 2)Server 1- Vendor O- Vendor M- Vendor G- Other vendors...operatesWhen a new valid certificate is seen for the first time, sendsigned email containing certificate to each of (a), (b), (c), (d)Put the new certificate on hold, first voucher will be issued after 3 days without complaints.Voucher requesting Server: Hello, I'm connecting to you with TLS.I am using TLS client authentication, so you know I really own that cert.Please give me a voucher for this cert (it's from CA 2). Contact me at port 4242Voucher Authority Server: OK! Please stand by while I probe you!(a) your cert is new, I notified domain owner, please come back later(b) sorry, your cert seems invalid, no voucher for you(c) OK, here is your voucher, it's valid for O+M+G only.I included OCSP data.Please give me a voucher for this server cert (issued by CA 2)(server uses old software and cannot staple vouchersto the TLS handshake)OCSP Serverfor CA 2Probing connection to port 4242.(Let's see if your cert matches my expectations)Please give me OCSP informationFor this certificateoperatesGive me a voucherMECAI:Mutually EndorsingCA InfrastructureDiagram version 2https://kuix.de/mecai kaie@kuix.de kaie@redhat.com