<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";
mso-fareast-language:ES;}
span.EstiloCorreo20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:213540684;
mso-list-template-ids:1398557954;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>No problem at all. In the public list now </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regarding the question, what I meant is to indicate clearly in the BR. The browsers´ root programs indicate clearly but not the BRs. In annex B is indicated that only OCSP is mandatory but in the root programs is said that both are mandatory, so that´s a contradiction.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black'>945067705</span><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=585 height=111 id="Imagen_x0020_1" src="cid:image001.png@01CF3ED0.8582DF60" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span style='font-family:"Calibri","sans-serif";color:navy;mso-fareast-language:ES-TRAD'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Enviado el:</b> martes, 11 de marzo de 2014 22:12<br><b>Para:</b> Barreira Iglesias, Iñigo<br><b>CC:</b> 'management@cabforum.org' (management@cabforum.org)<br><b>Asunto:</b> Re: [cabfman] possible OCSP/CRL inconsistencies in the BR<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>1) Should this be on the public list? Am I missing some context?<o:p></o:p></p><div><p class=MsoNormal>2) Shouldn't you reach out to the root program maintainers?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Speaking for Google, we strongly value having CRLs - primarily for intermediates more than EE certs - and as you note, it's REQUIRED by the Mozilla policy. I think a CA that didn't support CRLs would not necessarily have the same security strengths as a CA who did - which you can say the same for OCSP.<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Mar 11, 2014 at 2:21 AM, <<a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='color:#1F497D'>Any news on this?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='color:#1F497D'>It´s something to agree because it has to update accordingly in the ETSI docs. ETSI ESI has agreed to have OCSP mandatory and CRL optional, any reaction from the CABF?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='color:#1F497D'>Regards</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='color:#1F497D'> </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>945067705</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES-TRAD style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'><img border=0 width=585 height=111 id="_x0000_i1025" src="cid:image001.png@01CF3ED0.8582DF60" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='color:#888888'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>De:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:management-bounces@cabforum.org" target="_blank">management-bounces@cabforum.org</a> [mailto:<a href="mailto:management-bounces@cabforum.org" target="_blank">management-bounces@cabforum.org</a>] <b>En nombre de </b><a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a><br><b>Enviado el:</b> jueves, 20 de febrero de 2014 23:01<br><b>Para:</b> <a href="mailto:management@cabforum.org" target="_blank">management@cabforum.org</a><br><b>Asunto:</b> [cabfman] possible OCSP/CRL inconsistencies in the BR</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hello,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Reviewing the CABF BR, I think there are some inconsistencies. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>For example:</span><o:p></o:p></p><p><span lang=EN-US>-</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>In 13.1.5 12) it talks about OCSP/CRL but does not indicate anything else. You can interpretate that both can be used or shall be used or just one</span><o:p></o:p></p><p><span lang=EN-US>-</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>In 13.1.6 8) is similar to the one above but it seems to be dedicated to the issuing CAs, and in the annex B it´s indicated that issuing CAs have to have both, the OCSP and the CRL indicated in the AIA and CDP respectively (not the same for the end user certificates in which the CDP has a MAY)</span><o:p></o:p></p><p><span lang=EN-US>-</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>In 13.2.2 is different somehow from the first option indicated above, indicating that IF the CA generates CRL for the subscriber certs, but otherwise “mandate” update the CRL AND OCSP for the issuing CAs as indicated in Annex B</span><o:p></o:p></p><p><span lang=EN-US>-</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>In 13.2.3 indicates that the CA shall maintain the OCSP and CRL (which is what said in annex b)</span><o:p></o:p></p><p><span lang=EN-US>-</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>In 13.2.4 talks about removing the entrances in CRL or OCSP</span><o:p></o:p></p><p><span lang=EN-US>-</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>And finally, in the annex B is clearly stated that for CAs has to maintain OCSP and CRL but for end user certificates, only OCSP is mandatory</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>So, maybe this is a misinterpretation of clause 13, but perhaps a rewording is needed to clarify it.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>OTOH, checking some browser policies found that indicates that CRL is mandatory and OCSP optional, so that can be a conflict here. For example, checking the Mozilla one, this is what I found:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span lang=EN-US>CAs must maintain an online 24x7 repository mechanism whereby application software can automatically check online the current status of all unexpired certificates issued by the CA. For end-entity certificates: </span><o:p></o:p></li></ol><ol start=1 type=1><ul type=circle><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level2 lfo1'><span lang=EN-US style='background:yellow'>CRLs must</span><span lang=EN-US> be updated and reissued at least every seven days, and the value of the nextUpdate field shall not be more than ten days beyond the value of the thisUpdate field; or </span><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level2 lfo1'><span lang=EN-US style='background:yellow'>if</span><span lang=EN-US> the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service, it must update that service at least every four days. OCSP responses from this service must have a maximum expiration time of ten days. </span><o:p></o:p></li></ul></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>And this is because 2 weeks go in the ETSI ESI meeting, it was decided that for qualified certificates, OCSP is mandatory and CRL optional. Any possible conflict with this?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Regards</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'><br>Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>945067705</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES-TRAD> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><img border=0 width=585 height=111 id="_x0000_i1026" src="cid:image001.png@01CF3ED0.8582DF60" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:9.75pt'><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span style='color:#888888'><br></span><span style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Management mailing list<br><a href="mailto:Management@cabforum.org">Management@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/management" target="_blank">https://cabforum.org/mailman/listinfo/management</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>