[cabfpub] Notes of meeting, CA/Browser Forum, Gjøvik, Norway, 26-28 June 2012
Yngve N. Pettersen (Developer Opera Software ASA)
yngve at opera.com
Fri Jul 6 06:27:49 UTC 2012
On Fri, 06 Jul 2012 08:04:11 +0200, <y-iida at secom.co.jp> wrote:
> Does it mean that OCSP responder implementations which:
> 1. read (only) CRL
> 2. check whether requested serial is in there
> 3. if there is, respond "Revoked"
> 4. if not, respond "Good"
> are not allowed?
That will be a natural consequence of the proposed change, which have not
yet been balloted.
Such a responder would be able to respond "good" for a certificate that
was never issued, according to the CA's own information.
However, such a certificate might have been caused to be issued by an
attacker, and the information destroyed, as was the case with DigiNotar.
Therefore, in order to not respond "good" for an unknown certificate, the
OCSP responder's responses need to be based on at least the combined list
of valid certificates and the revocation list.
>> Notes of meeting
>> CA/Browser Forum
>> Gj=F8vik, Norway
>> 26-28 June 2012
> ...
>> 8. BR Issues list.
> ...
>> It was decided to disallow the "Good" response in the case where the
>> OCSP responder for a particular CA does not know if that CA issued
>> the certificate.
--
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer Email: yngve at opera.com
Opera Software ASA http://www.opera.com/
Phone: +47 23 69 32 60 Fax: +47 23 69 24 01
********************************************************************
More information about the Public
mailing list