[cabfpub] [cabfman] Update of Yngve's BR 1.1 issues + #10

Rick Andrews Rick_Andrews at symantec.com
Fri May 25 17:49:43 UTC 2012


(back to the public forum)

> The scenario I write about here should be fairly infrequent; preferably it
> should never happen. If it should happen, a few seconds delay is not a
> problem, but we need a hard fail for the site using it.

A few seconds delay *is* a problem. At the CABF Revocation meetings and lists, I've heard several browser vendors complain that CAs take too long to respond to OCSP requests. I doubt anyone would implement hard-fail if they had to wait several seconds to get a response.

> Which is generally considered non-fatal by many, if not all, browsers (I
> seem to recall FF consider such returns fatal). In fact, in the Opera
> 8.5x/8.6x timeframe we observed this response code from a major CA for two
> *weeks*, among several such incidents.

Instead of going to extreme measures like redefining established RFCs, let's just not tolerate such behavior from CAs! The whole point of Baseline Requirements is to raise the bar for all CAs. IMO, that's more easily achieved than changing RFCs.


More information about the Public mailing list