<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria-BoldItalic;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Sorry everyone, included the policy conflict section as well.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">The confusion is due to the following in section 7.1.2.2 of V1.3.1 of the BR, which I interpret to mean the CDP is mandatory while the OCSP is the one that is potentially optional. I may not fully understand
stapling, but thought it was a browser function and not a CA function.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><a name="_MailEndCompose"><b><i><span style="font-size:12.0pt;font-family:Cambria-BoldItalic">7.1.2.2. Subordinate CA Certificate</span></i></b></a><b><i><span style="font-size:12.0pt;font-family:Cambria-BoldItalic"><o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">b. cRLDistributionPoints<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif;background:yellow;mso-highlight:yellow">This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL
of the<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif;background:yellow;mso-highlight:yellow">CA’s CRL service</span><span style="font-size:10.0pt;font-family:"Cambria",serif">.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">c. authorityInformationAccess<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif;background:yellow;mso-highlight:yellow">With the exception of stapling, which is noted below, this extension MUST be present.</span><span style="font-size:10.0pt;font-family:"Cambria",serif">
It MUST NOT be<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod =<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod =<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">1.3.6.1.5.5.7.48.2).<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><span style="font-size:10.0pt;font-family:"Cambria",serif">The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted, provided that the Subscriber “staples” the<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Cambria",serif">OCSP response for the Certificate in its TLS handshakes [RFC4366].<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#5B9BD5"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#5B9BD5">Kenneth Myers<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Verdana",sans-serif">Supporting GSA Federal PKI Management Authority<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555;background:white">Protiviti | Government Solutions | Manager<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555;background:white">DC | +1 571-469-9038 |
</span><a href="mailto:Kenneth.Myers@GSA.gov"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#0563C1;background:white">Kenneth.Myers@GSA.gov</span></a><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555;background:white"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555;background:white">Alexandria |
</span><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555">+1 571-366-6120
<span style="background:white">| </span></span><a href="mailto:Kenneth.Myers@Protiviti.com"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#0563C1;background:white">Kenneth.Myers@Protiviti.com</span></a><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555"><br>
<span style="background:white">Connect: </span></span><a href="https://www.linkedin.com/in/kennethmy"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#0563C1;background:white">LinkedIn</span></a><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555;background:white">
| Thought Leadership: </span><a href="http://www.protiviti.it/en-US/Pages/Insights.aspx"><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#0563C1;background:white">Protiviti.com</span></a><span style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:#555555;background:white"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer
attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions
expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you
have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
</body>
</html>