[cabfpub] FW: Short lived OCSP signing certificate
Ben Wilson
ben at digicert.com
Mon Sep 17 19:39:00 UTC 2012
Rick,
I thought that the Baseline Requirements were mandatory and that some of the
browsers were implementing in that fashion. So shouldn't there be a section
in the document that clarifies how/when a practice is allowed (at least for
audit purposes)? --unless there is no confusion. Also, I think Dean was
collecting BR OIDs-- where are we on that?
Thanks,
Ben
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Monday, September 17, 2012 1:00 PM
To: jeremy.rowley at digicert.com; 'Gervase Markham'; 'Rob Stradling'
Cc: 'Mads Egil Henriksveen'; public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
Jeremy,
Why can't CAs experiment with these right now by omitting the policy OID
indicating compliance with the BR?
-Rick
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Jeremy Rowley
> Sent: Monday, September 17, 2012 8:45 AM
> To: 'Gervase Markham'; 'Rob Stradling'
> Cc: 'Mads Egil Henriksveen'; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
>
> We should modify the baseline requirements to permit CAs to issue
> short lived certs on at least an interim basis while we continue
> discussing their implementation and use. That way those CAs and
> client interested in analyzing the performance benefits and security risks
can do so.
>
> Let's add this discussion to the face-to-face agenda.
>
> Jeremy
>
>
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Gervase Markham
> Sent: Monday, September 17, 2012 9:26 AM
> To: Rob Stradling
> Cc: Mads Egil Henriksveen; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
>
> On 17/09/12 16:07, Rob Stradling wrote:
> > On 17/09/12 15:43, Gervase Markham wrote:
> >> One advantage of C over B is that it requires no infrastructure
changes.
> >
> > Gerv, which infrastructure(s) are you referring to?
>
> Yes, sorry, I misspoke. Try this instead:
>
> "One advantage of C over B is that no client-side changes are
> required, and it can be rolled out on a per-site basis at a speed
> appropriate for each site and their partner CA".
>
> > I think most browsers would need some changes too. I'm not aware of
> > any browser that avoids doing online revocation checks just because
> > the cert is short-lived (or is sufficiently fresh). (And if online
> > revocation checks are not being avoided, what's the point of
> > short-lived certs?)
>
> Firefox does not to online revocation checks if there is no revocation
> information embedded in the cert :-) I believe this is a feature of
> most imaginings of this plan.
>
> > I think the BRs and EVGs may need some changes too, if the consensus
> > is that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> > (IIRC, opinions are divided on this point).
>
> See above :-)
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list