[cabfpub] FW: Short lived OCSP signing certificate

Ben Wilson ben at digicert.com
Mon Sep 17 12:39:00 MST 2012


Rick,
I thought that the Baseline Requirements were mandatory and that some of the
browsers were implementing in that fashion.  So shouldn't there be a section
in the document that clarifies how/when a practice is allowed (at least for
audit purposes)? --unless there is no confusion.  Also, I think Dean was
collecting BR OIDs-- where are we on that?
Thanks,
Ben

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Monday, September 17, 2012 1:00 PM
To: jeremy.rowley at digicert.com; 'Gervase Markham'; 'Rob Stradling'
Cc: 'Mads Egil Henriksveen'; public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

Jeremy,

Why can't CAs experiment with these right now by omitting the policy OID
indicating compliance with the BR?

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> On Behalf Of Jeremy Rowley
> Sent: Monday, September 17, 2012 8:45 AM
> To: 'Gervase Markham'; 'Rob Stradling'
> Cc: 'Mads Egil Henriksveen'; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> We should modify the baseline requirements to permit CAs to issue 
> short lived certs on at least an interim basis while we continue 
> discussing their implementation and use.  That way those CAs and 
> client interested in analyzing the performance benefits and security risks
can do so.
> 
> Let's add this discussion to the face-to-face agenda.
> 
> Jeremy
> 
> 
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> On Behalf Of Gervase Markham
> Sent: Monday, September 17, 2012 9:26 AM
> To: Rob Stradling
> Cc: Mads Egil Henriksveen; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> On 17/09/12 16:07, Rob Stradling wrote:
> > On 17/09/12 15:43, Gervase Markham wrote:
> >> One advantage of C over B is that it requires no infrastructure
changes.
> >
> > Gerv, which infrastructure(s) are you referring to?
> 
> Yes, sorry, I misspoke. Try this instead:
> 
> "One advantage of C over B is that no client-side changes are 
> required, and it can be rolled out on a per-site basis at a speed 
> appropriate for each site and their partner CA".
> 
> > I think most browsers would need some changes too.  I'm not aware of 
> > any browser that avoids doing online revocation checks just because 
> > the cert is short-lived (or is sufficiently fresh).  (And if online 
> > revocation checks are not being avoided, what's the point of 
> > short-lived certs?)
> 
> Firefox does not to online revocation checks if there is no revocation 
> information embedded in the cert :-) I believe this is a feature of 
> most imaginings of this plan.
> 
> > I think the BRs and EVGs may need some changes too, if the consensus 
> > is that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> > (IIRC, opinions are divided on this point).
> 
> See above :-)
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list