[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates
Rob Stradling
rob.stradling at comodo.com
Thu Jul 25 12:25:56 MST 2013
Thanks Adam. So Google are only interested in this issue because of
what you believe it indicates about the competence of each CA. Fair enough.
On 24/07/13 16:09, Adam Langley wrote:
> On Wed, Jul 24, 2013 at 9:44 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
>> Ah, so something has changed. Previously, you'd switched off Online
>> OCSP lookups in all cases.
>
> I think Chris is using Mac where OCSP checks are done for EV due to
> platform behaviours on OS X.
>
> On other platforms, a valid, current CRLSet will disable OCSP checks.
> See line 90 of
>
> http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/cert_verify_proc.cc?revision=211347
>
>> So IINM, Chrome today is very unlikely to use
>> OCSP to check any EV certificate, and yet you want to remove EV
>> indicators based on OCSP Responder behaviour? This still puzzles me.
>
> Without hard-fail OCSP, you're quite correct that this measure is not
> especially important. I don't believe, off hand, that it materially
> affects Chrome security.
>
> I think you're reading Ryan's response as suggesting that we feel that
> this measure is deeply important and that EV status is unreasonable
> for CAs that don't implement it. I don't believe that was the
> intention.
>
> Rather, with a "no" vote, we're saying that a year (roughly) is a
> reasonable amount of time to implement this. CAs have to correctly
> perform a fairly technical task. They should have the technical
> ability, in-house, to do something like this. Some might want to buy
> outside software in order to use that ability more efficiently but
> that doesn't mean that they don't have to meet the Baseline.
>
> Separately, and generally, we're saying that the Baseline is important
> and that CAs that fall below it risk measures including the removal of
> EV status. Any actions will be proportionate, but CAs should expect to
> meet the requirements in the Baseline.
>
>
> Cheers
>
> AGL
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public
mailing list