[cabfpub] Short Lived Certificates

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Fri Jul 27 12:03:18 MST 2012


On Fri, 27 Jul 2012 20:26:13 +0200, Jeremy Rowley
<jeremy.rowley at digicert.com> wrote:

> Appendix B of the baseline requirements state:
>
> B. cRLDistributionPoints
>
> This extension MAY be present.  If present, it MUST NOT be marked  
> critical, and it MUST contain the  HTTP URL of the CA’s CRL service.   
> See Section 13.2.1 for details.
>
> C. authorityInformationAccess
>
> With the exception of stapling, which is noted below, this extension  
> MUST be present.  It MUST NOT be marked critical, and it MUST contain  
> the HTTP URL of the Issuing CA’s OCSP responder (accessMethod =  
> 1.3.6.1.5.5.7.48.1).  It SHOULD also contain the HTTP URL of the Issuing  
> CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).  See Section  
> 13.2.1 for details.
>
> The HTTP URL of the Issuing CA’s OCSP responder  MAY be omitted provided  
> that the Subscriber  “staples” OCSP responses for the Certificate in its  
> TLS handshakes [RFC4366].
>
> This results in an odd situation where a CA can issue a certificate  
> without either a CRL or AIA if the customer promises to use OCSP  
> stapling. A customer won’t serve a revoked certificate through its  
> server, meaning the certificate can never be effectively revoked.  
> Compare this to Appendix B of the EV Guidelines.

Please note that my proposal for BR Issue #7 (MUST have intermediate
issuer cert URL in AIA field, not SHOULD) also removes the stapling option
   from this language.

The proposal currently need one more endorser and an effective date in
order to become a ballot.

If the proposed text is approved, then the possibility you describe will
no longer be allowed by the BR.


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************


More information about the Public mailing list