[cabfpub] Notes of meeting, CA/Browser Forum, Gjøvik, Norway, 26-28 June 2012

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Fri Jul 6 06:27:49 UTC 2012

On Fri, 06 Jul 2012 08:04:11 +0200, <y-iida at secom.co.jp> wrote:

> Does it mean that OCSP responder implementations which:
>   1. read (only) CRL
>   2. check whether requested serial is in there
>   3. if there is, respond "Revoked"
>   4. if not, respond "Good"
> are not allowed?

That will be a natural consequence of the proposed change, which have not  
yet been balloted.

Such a responder would be able to respond "good" for a certificate that  
was never issued, according to the CA's own information.

However, such a certificate might have been caused to be issued by an  
attacker, and the information destroyed, as was the case with DigiNotar.

Therefore, in order to not respond "good" for an unknown certificate, the  
OCSP responder's responses need to be based on at least the combined list  
of valid certificates and the revocation list.

>> Notes of meeting
>> CA/Browser Forum
>> Gj=F8vik, Norway
>> 26-28 June 2012
> ...
>> 8. BR Issues list.
> ...
>> It was decided to disallow the "Good" response in the case where the
>> OCSP responder for a particular CA does not know if that CA issued
>> the certificate.

Yngve N. Pettersen
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01

More information about the Public mailing list