[cabfpub] FW: Short lived OCSP signing certificate

Rick Andrews Rick_Andrews at symantec.com
Mon Sep 17 20:53:14 UTC 2012


Ben,

I think there was some debate about whether the oids were mandatory. Tim told me months ago that he expected that some CAs would not add the OID for every cert, just those that it knew to be BR-compliant. That's why I thought that a CA could simply issue a cert without the OID, and therefore would not be misrepresenting anything.

Dean forwarded his list of OIDs. In an informal survey, I saw only Symantec and Digicert issuing certs with BR oids, and updating their CPS. I don't know where the other CAs are at.

-Rick

> -----Original Message-----
> From: Ben Wilson [mailto:ben at digicert.com]
> Sent: Monday, September 17, 2012 12:39 PM
> To: Rick Andrews; jeremy.rowley at digicert.com; 'Gervase Markham'; 'Rob
> Stradling'
> Cc: 'Mads Egil Henriksveen'; public at cabforum.org
> Subject: RE: [cabfpub] FW: Short lived OCSP signing certificate
> 
> Rick,
> I thought that the Baseline Requirements were mandatory and that some of the
> browsers were implementing in that fashion.  So shouldn't there be a section
> in the document that clarifies how/when a practice is allowed (at least for
> audit purposes)? --unless there is no confusion.  Also, I think Dean was
> collecting BR OIDs-- where are we on that?
> Thanks,
> Ben
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Rick Andrews
> Sent: Monday, September 17, 2012 1:00 PM
> To: jeremy.rowley at digicert.com; 'Gervase Markham'; 'Rob Stradling'
> Cc: 'Mads Egil Henriksveen'; public at cabforum.org
> Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> 
> Jeremy,
> 
> Why can't CAs experiment with these right now by omitting the policy OID
> indicating compliance with the BR?
> 
> -Rick
> 
> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Jeremy Rowley
> > Sent: Monday, September 17, 2012 8:45 AM
> > To: 'Gervase Markham'; 'Rob Stradling'
> > Cc: 'Mads Egil Henriksveen'; public at cabforum.org
> > Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> >
> > We should modify the baseline requirements to permit CAs to issue
> > short lived certs on at least an interim basis while we continue
> > discussing their implementation and use.  That way those CAs and
> > client interested in analyzing the performance benefits and security risks
> can do so.
> >
> > Let's add this discussion to the face-to-face agenda.
> >
> > Jeremy
> >
> >
> >
> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Gervase Markham
> > Sent: Monday, September 17, 2012 9:26 AM
> > To: Rob Stradling
> > Cc: Mads Egil Henriksveen; public at cabforum.org
> > Subject: Re: [cabfpub] FW: Short lived OCSP signing certificate
> >
> > On 17/09/12 16:07, Rob Stradling wrote:
> > > On 17/09/12 15:43, Gervase Markham wrote:
> > >> One advantage of C over B is that it requires no infrastructure
> changes.
> > >
> > > Gerv, which infrastructure(s) are you referring to?
> >
> > Yes, sorry, I misspoke. Try this instead:
> >
> > "One advantage of C over B is that no client-side changes are
> > required, and it can be rolled out on a per-site basis at a speed
> > appropriate for each site and their partner CA".
> >
> > > I think most browsers would need some changes too.  I'm not aware of
> > > any browser that avoids doing online revocation checks just because
> > > the cert is short-lived (or is sufficiently fresh).  (And if online
> > > revocation checks are not being avoided, what's the point of
> > > short-lived certs?)
> >
> > Firefox does not to online revocation checks if there is no revocation
> > information embedded in the cert :-) I believe this is a feature of
> > most imaginings of this plan.
> >
> > > I think the BRs and EVGs may need some changes too, if the consensus
> > > is that short-lived certs are permitted to contain zero CRL/OCSP URLs.
> > > (IIRC, opinions are divided on this point).
> >
> > See above :-)
> >
> > Gerv
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list