<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Hi Jeremy,<o:p></o:p></span></a></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>The use case is a Root CA that issues long term CA certificates to a limited number of organizations who operate their own issuing CAs independent from the same infrastructure of the root.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>For example, the Federal Government operates a Trust Anchor and issues 10 year subordinate certificates to a limited number of agencies (around 10). Those organizations operate their own intermediate and issuing CAs. The issuing CAs are required to have OCSP. All operate under the same CP but have different organizational CPS. OCSP is not a requirement of the root as long as we have a highly available HTTP CRL and because of the low issuance volume it is not big or will get big based on this model.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Ken<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Jeremy Rowley [mailto:jeremy.rowley@digicert.com] <br><b>Sent:</b> Wednesday, January 13, 2016 21:43<br><b>To:</b> Peter Bowen <pzb@amzn.com>; Ryan Sleevi <sleevi@google.com>; Myers, Kenneth (10421) <kenneth.myers@protiviti.com>; Ben Wilson <ben.wilson@digicert.com>; public@cabforum.org<br><b>Subject:</b> RE: [cabfpub] OCSP Requirement for Root CA<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>That’d be interesting. Is there a use case for it? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I don’t see any reason it couldn’t be done that way assuming you still have an OCSP response that complies with 4.9.10. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Peter Bowen<br><b>Sent:</b> Wednesday, January 13, 2016 1:49 PM<br><b>To:</b> Ryan Sleevi; Myers, Kenneth (10421); Ben Wilson; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] OCSP Requirement for Root CA<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On Jan 13, 2016, at 10:15 AM, Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<o:p></o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>> wrote:<o:p></o:p></p><div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><p class=MsoNormal>Is the requirement really clear? Some browsers don't check OCSP for intermediates and use CRLs instead. <o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So? The BRs themselves are clear it's a requirement. I mean, if we want to change to discuss that practical reality, we certainly can, but we should at least honor the rules as written.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Section 4.9.10 makes that clear. 7.1.2.2 item c also makes this clear.<o:p></o:p></p></div></div></div></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'>It seems pretty clear to me. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'>If a CA signs a certificate with CA:True in basicConstraints, then it must issue CRLs.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'>If a CA issues certificates covered by the BRs (either subscriber certificates or CA cross-certificates), then it must have an associated OCSP responder.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'>I think it is allowable that a CA that issues both kinds of certs (subscriber and CA) can issue CRLs with an IDP extension that indicates that the CRL only covers CA certs.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'>Does this sound right?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial",sans-serif;color:#222222'>Peter<o:p></o:p></span></p></div></div></div></body></html>