[cabfcert_policy] NISTIR p.3, ll. 22-24 - OCSP responders

Dean Coclin Dean_Coclin at symantec.com
Fri Aug 29 14:59:46 MST 2014 

Ben,
Not sure if I sent these responses through but this is what I got from NiST in response to your questions:


1.       Locally trusted OCSP servers:  We've seen a bit of delegated OCSP server stuff going on here.  I'm  not sure how an OCSP server would assert a policy OID, but if they were locally generating proofs for a remote CA, it would have to work correctly.
The phrase "locally trusted" doesn't appear in RFC (69|25)60. The best I can come up with is the tail end of section 4.2.2.2 - "Matches a local configuration of OCSP signing authority for thecertificate in question". I think this means, "if you've hand-crafted your OCSP-client relationship (through hand placed public keys, perhaps) in such a way as it can't affect anyone else, we're not going to get in your business."

2.       CSS and policy OIDs:  these aren't algorithm OIDs or any other type of OIDs, just policy OIDs.  Like you would find in the policy extensions.
The object here (insofar as I recall) is simply to limit the applicability of any particular OCSP signer. If I'm CA-Org, with Payroll policy and Research policy, I might have CSS-Payroll and CSS-Research.

Happy to go back and ask more questions if we need to.
Dean

From: policyreview-bounces at cabforum.org [mailto:policyreview-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, July 21, 2014 6:36 PM
To: policyreview at cabforum.org
Subject: [cabfcert_policy] NISTIR p.3, ll. 22-24 - OCSP responders

The draft NISTIR says that "A CSS shall assert all the policy OIDs for which it is authoritative".  Does it really need to say this?  Similarly, does the NISTIR really need to have the next sentence, which says, "OCSP servers that are locally trusted, as described in [RFC2560], are not covered by this policy."

What does the first sentence say?  (I think it means to say, "a CSS shall be capable of responding ...")

Is the second sentence just an attempt to carve out something that is specific to the client-centric model using SCVP used by US agencies rather than the web PKI?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20140829/2245e066/attachment.html

More information about the Policyreview mailing list