[cabfpub] FW: Short lived OCSP signing certificate

Dean Coclin Dean_Coclin at symantec.com
Mon Sep 17 19:56:17 UTC 2012 

Here are the OIDs I've collected so far. I still have nothing from GoDaddy
or Comodo:

	CABF Compliance OIDs		
Company	OID	Comments	
			
Buypass	BR OID		
Logius		2.16.528.1.1003.1.2.5.6		OV only	
QuoVadis	1.3.6.1.4.1.8024.0.2.100.1.1 	OV	
QuoVadis	1.3.6.1.4.1.8024.0.2.100.1.2 	EV	
Digicert		2.16.840.1.114412.1.1 		
Startcom	BR OID		
Symantec	2.16.840.1.113733.1.7.54	Verisign, Thawte, GeoTrust

Entrust		2.23.140.1.2.2		
Trend		1.3.6.1.4.1.34697.1.1 		
Globalsign	BR OID		
Trustis		1.3.6.1.4.1.5237.1.1.3		
Identrust	2.16.840.1.113839.0.6.3		Commercial	Will also
include CABF OIDS 2.23.140.1.2.1
Identrust	2.16.840.1.101.3.2.1.1. 5	Public Sector	Will also
include CABF OIDS 2.23.140.1.2.1
Izenpe		1.3.6.1.4.1.14777.1.2.1 		Will also use CABF
OID	


Dean Coclin

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Monday, September 17, 2012 3:39 PM
To: Rick Andrews; jeremy.rowley at digicert.com; 'Gervase Markham'; 'Rob
Stradling'
Cc: 'Mads Egil Henriksveen'; public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

Rick,
I thought that the Baseline Requirements were mandatory and that some of the
browsers were implementing in that fashion.  So shouldn't there be a section
in the document that clarifies how/when a practice is allowed (at least for
audit purposes)? --unless there is no confusion.  Also, I think Dean was
collecting BR OIDs-- where are we on that?
Thanks,
Ben

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Monday, September 17, 2012 1:00 PM
To: jeremy.rowley at digicert.com; 'Gervase Markham'; 'Rob Stradling'
Cc: 'Mads Egil Henriksveen'; public at cabforum.org
Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate

Jeremy,

Why can't CAs experiment with these right now by omitting the policy OID
indicating compliance with the BR?

-Rick

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Jeremy Rowley
> Sent: Monday, September 17, 2012 8:45 AM
> To: 'Gervase Markham'; 'Rob Stradling'
> Cc: 'Mads Egil Henriksveen'; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> We should modify the baseline requirements to permit CAs to issue 
> short lived certs on at least an interim basis while we continue 
> discussing their implementation and use.  That way those CAs and 
> client interested in analyzing the performance benefits and security 
> risks
can do so.
> 
> Let's add this discussion to the face-to-face agenda.
> 
> Jeremy
> 
> 
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Gervase Markham
> Sent: Monday, September 17, 2012 9:26 AM
> To: Rob Stradling
> Cc: Mads Egil Henriksveen; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> On 17/09/12 16:07, Rob Stradling wrote:
> > On 17/09/12 15:43, Gervase Markham wrote:
> >> One advantage of C over B is that it requires no infrastructure
changes.
> >
> > Gerv, which infrastructure(s) are you referring to?
> 
> Yes, sorry, I misspoke. Try this instead:
> 
> "One advantage of C over B is that no client-side changes are 
> required, and it can be rolled out on a per-site basis at a speed 
> appropriate for each site and their partner CA".
> 
> > I think most browsers would need some changes too.  I'm not aware of 
> > any browser that avoids doing online revocation checks just because 
> > the cert is short-lived (or is sufficiently fresh).  (And if online 
> > revocation checks are not being avoided, what's the point of 
> > short-lived certs?)
> 
> Firefox does not to online revocation checks if there is no revocation 
> information embedded in the cert :-) I believe this is a feature of 
> most imaginings of this plan.
> 
> > I think the BRs and EVGs may need some changes too, if the consensus 
> > is that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> > (IIRC, opinions are divided on this point).
> 
> See above :-)
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6071 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120917/7754934e/attachment-0002.p7s>

More information about the Public mailing list