[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Sigbjørn Vik sigbjorn at opera.com
Wed Jul 24 00:08:50 MST 2013


On 23-Jul-13 22:20, Ben Wilson wrote:
> Corrected -
> 
> Ballot 106 – Extended Deadline to Prohibit OCSP “Good” Response for 
> Non-Issued Certificates

Opera votes NO

On 24-Jul-13 00:30, Stephen Davidson wrote:
> many CAs use OCSP software from external vendors.  CA/B Forum never
> communicated with those vendors that it was changing, in effect, a
> standard mode of operation.

It is not the responsibility of the CA/B Forum to contact OCSP vendors.
If their customers (CAs) have new requirements, it is the CAs'
responsibility to ensure they meet the requirements. Typically this is
done by informing the vendor that "After date X, we need support for Y.
If you can't provide this, we will need to switch vendor." Blaming OCSP
vendors is missing the mark, any CAs who failed to require proper
support from their vendors and subsequently failed to switch vendors,
have nobody but themselves to blame.

On 24-Jul-13 00:34, Kelvin Yiu wrote:
> I do not want CAs
> to rush the deployment OCSP responders where the OCSP responder may
> require network access to the CA server to obtain the real time \
> status of certificates.

Setting the OCSP responder up as a network bridge does indeed sound like
an unwise setup. A much better solution would presumably be to push new
serials to the responder, it would completely avoid the issues you are
concerned about. This is e.g. how CT will operate.


-- 
Sigbjørn Vik
Opera Software


More information about the Public mailing list