[cabfpub] BR Issue 7 - OCSP Stapling

Ben Wilson ben at digicert.com
Wed Jan 23 18:02:18 MST 2013


Here is another draft of potential ballot language to fix OCSP Stapling in
the Baseline Requirements. 

 

Comments welcome -

 

Erratum begins:

 

A.      In Section 13.2.1 "Mechanisms" remove the second paragraph and
insert the following:

The CA / Browser Forum's certificate extension OID for mustStaple is
2.23.140.16.1.  If a Subscriber requests a Certificate for use in accordance
with OCSP stapling [RFC4366], then the CA SHALL issue the Certificate with
the mustStaple certificate extension and the CA SHALL contractually require
the Subscriber to pre-fetch the OCSP response from the URL identified in the
Certificate and staple that OCSP Response to the Subscriber's TLS responses
to requests for its Certificate from TLS clients that indicate they support
OCSP stapling.  

 

B.      In Appendix B "Subordinate CA Certificate" remove point C
(authorityInformationAccess) and insert:

C.  authorityInformationAccess 

 

This extension MUST be present.  It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). 

 

See Section 13.2.1 for details about OCSP stapling requirements.

 

Certificates that are not issued by a Root CA SHOULD contain an AIA with the
HTTP URL where a copy of the Issuing CA's certificate (accessMethod =
1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online repository.

 

C.      In Appendix B "Subscriber Certificate" remove the last sentence that
says, "See Section 13.2.1 for details."

 

D.       In Appendix B "Subscriber Certificate" remove point C
(authorityInformationAccess) and insert:

                C. authorityInformationAccess 

 

This extension MUST be present.  It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). 

 

See Section 13.2.1 for details about OCSP stapling requirements.

 

Subscriber Certificates SHOULD contain an AIA with the HTTP URL where a copy
of the Issuing CA's certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be
downloaded from a 24x7 online repository.

 

E.          In Appendix B "Subscriber Certificate" remove point D
(basicConstraints) and insert:

D.  basicConstraints (optional)

If present, this field MUST be marked critical and the cA field MUST be set
to false.

 

F.       In Appendix B "Subscriber Certificate" after point F insert a new
point G (mustStaple Certificate Extension) as follows:

G.  mustStaple Certificate Extension (optional)

If present, this certificate extension MUST NOT be marked critical, and it
MUST contain the CA/Browser Forum OID of 2.23.140.16.1 (mustStaple).

 

Erratum ends

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130123/78dfc575/attachment.html 


More information about the Public mailing list