[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Kelvin Yiu kelviny at exchange.microsoft.com
Tue Jul 23 22:34:14 UTC 2013


"A CA that has trouble standing up a new OCSP server in a timely manner is not one we'd like to give EV treatment to. This is especially important for OCSP Must Staple to be viable."

Actually this is exactly what I wanted to avoid - I do not want CAs to rush the deployment OCSP responders where the OCSP responder may require network access to the CA server to obtain the real time status of certificates. (I am not saying all OCSP responders have this requirement, but some do.) I think this creates far more risk to the CA than the benefit provided by not responding OCSP good for non-issued certificates, especially for a requirement that attempts to mitigate the case where the attacker can directly access the CA's signing key and can issue new certificates with known serial numbers. 

Kelvin

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Chris Palmer
Sent: Tuesday, July 23, 2013 2:45 PM
To: Rob Stradling
Cc: CABFPub
Subject: Re: [cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

On Tue, Jul 23, 2013 at 2:25 PM, Rob Stradling <rob.stradling at comodo.com> wrote:

> Unless Google have backtracked and I missed it, Chrome only uses OCSP 
> when the TLS server sends a Stapled OCSP Response.  So in the 
> (majority) case of lack of support for OCSP Stapling by TLS Servers, 
> Chrome won't check OCSP _at all_.
>
> So I'm puzzled.  Why would you remove EV indicators due to 
> non-compliant OCSP in the many cases where you're not actually relying on OCSP at all?

When validating EV certificate chains, Chrome first checks the CRLSet, if the issuer is covered by one. That gets us the benefit of revocation without the latency cost. If no CRLSet covers that issuer, we check any stapled OCSP. Failing that, we do check OCSP, taking the latency hit.

A CA that has trouble standing up a new OCSP server in a timely manner is not one we'd like to give EV treatment to. This is especially important for OCSP Must Staple to be viable.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public







More information about the Public mailing list