[cabfpub] Ballot[80] - BR Response for non-issued certificates

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Mon Jul 23 19:33:35 UTC 2012


On Mon, 23 Jul 2012 20:57:10 +0200, Rick Andrews  
<Rick_Andrews at symantec.com> wrote:

>> As I recall, Rick, you are working on a document in the revocation work
>> group that should deal with the client aspect of this. This proposal is
>> about what the CA's OCSP responder should do.
>
> Yes, but that document is a set of recommended best practices, not  
> requirements. You proposal is a requirement, not a recommended best  
> practice. There's still a strong imbalance between what browsers and CAs  
> have to do.

The scope of the BR is the Certificate issuance and management, so client  
handling of non-good responses really belong in a different, related  
document. At present, your BCP is the best option available.

A BCP will help immensely at providing a platform for how clients should  
behave, and once there is such a document we can at least start fixing the  
major issues where we are not behaving correctly. If we don't, we will  
start receiving bug reports from people that checks such things.

Knowing what the CAs will/can send is also going to help aligning the  
clients' handling of OCSP responses.

Regarding the handling of "unauthorized", which is likely to be the main  
(only?) return code for this case, as I have mentioned previously, that  
response have previously been seen frequently returned by malfunctioning  
OCSP responders, which is why Opera, at least, has so far treated it as  
non-fatal (it was treated as fatal in Opera 8.5x and 8.6x, but, at the  
time, the frequent multi-week stability problems with the responders,  
affecting major sites, made it impossible to keep it as a fatal error).  
Today, it may finally be possible to return that error code to being a  
fatal error.



-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************



More information about the Public mailing list