[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates
Chris Palmer
palmer at google.com
Tue Jul 23 14:44:44 MST 2013
On Tue, Jul 23, 2013 at 2:25 PM, Rob Stradling <rob.stradling at comodo.com> wrote:
> Unless Google have backtracked and I missed it, Chrome only uses OCSP
> when the TLS server sends a Stapled OCSP Response. So in the (majority)
> case of lack of support for OCSP Stapling by TLS Servers, Chrome won't
> check OCSP _at all_.
>
> So I'm puzzled. Why would you remove EV indicators due to non-compliant
> OCSP in the many cases where you're not actually relying on OCSP at all?
When validating EV certificate chains, Chrome first checks the CRLSet,
if the issuer is covered by one. That gets us the benefit of
revocation without the latency cost. If no CRLSet covers that issuer,
we check any stapled OCSP. Failing that, we do check OCSP, taking the
latency hit.
A CA that has trouble standing up a new OCSP server in a timely manner
is not one we'd like to give EV treatment to. This is especially
important for OCSP Must Staple to be viable.
More information about the Public
mailing list