[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Rob Stradling rob.stradling at comodo.com
Wed Jul 24 06:44:27 MST 2013


On 23/07/13 22:44, Chris Palmer wrote:
> On Tue, Jul 23, 2013 at 2:25 PM, Rob Stradling <rob.stradling at comodo.com> wrote:
>
>> Unless Google have backtracked and I missed it, Chrome only uses OCSP
>> when the TLS server sends a Stapled OCSP Response.  So in the (majority)
>> case of lack of support for OCSP Stapling by TLS Servers, Chrome won't
>> check OCSP _at all_.
>>
>> So I'm puzzled.  Why would you remove EV indicators due to non-compliant
>> OCSP in the many cases where you're not actually relying on OCSP at all?
>
> When validating EV certificate chains, Chrome first checks the CRLSet,
> if the issuer is covered by one. That gets us the benefit of
> revocation without the latency cost. If no CRLSet covers that issuer,
> we check any stapled OCSP.

So when there is an applicable CRLSet, Chrome won't use OCSP at all. 
IIRC, when Adam first setup the CRLSet mechanism, he created CRLSets for 
all known EV Sub-CAs.  So IINM, Chrome today is very unlikely to use 
OCSP to check any EV certificate, and yet you want to remove EV 
indicators based on OCSP Responder behaviour?  This still puzzles me.

Incidentally, CRLSets will be just as bad at dealing with "non-issued" 
certs as (BRs-non-compliant) OCSP is!  And yet you priorize CRLSets over 
(BRs-compliant) Stapled OCSP Responses?

> Failing that, we do check OCSP, taking the latency hit.

Ah, so something has changed.  Previously, you'd switched off Online 
OCSP lookups in all cases.

http://www.computerworld.com/s/article/9224078/Google_Chrome_will_no_longer_check_for_revoked_SSL_certificates_online

> A CA that has trouble standing up a new OCSP server in a timely manner
> is not one we'd like to give EV treatment to. This is especially
> important for OCSP Must Staple to be viable.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online


More information about the Public mailing list