[cabfpub] FW: Ballot 100: Extend Deadline - OCSP Good Response

Steve Roylance steve.roylance at globalsign.com
Fri May 24 15:04:08 UTC 2013

Forward to the Public list adding some clarification from Entrust and
their support to allow more time.

On 24/05/2013 15:12, "Bruce Morton" <bruce.morton at entrust.com> wrote:

>As Entrust is not a member, I don't think I can send to the public list.
>Please feel free to send my response out to the public list. Also, please
>note that Entrust CA software does not provide OCSP responses, so all
>responses must be done from OCSP software which is integrated.
>I would agree that the time scale is too aggressive. I think the
>compatibility should have been investigated before the date was picked.
>From what I see we have some CAs that have control over their software
>and some CAs which purchase software. In the second case, you may have to
>get two software systems to integrate and then get them deployed. It can
>take some time.
>-----Original Message-----
>From: Steve Roylance [mailto:steve.roylance at globalsign.com]
>Sent: Friday, May 24, 2013 9:49 AM
>To: Bruce Morton; Gervase Markham
>Cc: questions at cabforum.org
>Subject: Re: [cabfpub] Ballot 100: Extend Deadline - OCSP Good Response
>Thanks Bruce.
>Would you therefore also agree the current timescale is too aggressive
>for non CABForum members not up to speed on this topic and another year
>would help as Browsers flow down the needs via their root programs to a
>wider audience?
>I notice the reply didn't go public, so I'll keep the list as is unless
>you feel like sending out again.
>On 24/05/2013 14:29, "Bruce Morton" <bruce.morton at entrust.com> wrote:
>>I just wanted to follow up on Steve's mention of Entrust below.
>>Entrust PKI software does not issue OCSP responses. The software needs
>>to work with an OCSP system. In some cases there may need to be
>>integration between Entrust PKI and the OCSP system.
>>For our CA we use Axway Validation Authority for OCSP. We are working
>>to integrate Entrust PKI and Axway. I do not think this integration
>>will be completed by 1 August 2013.
>>If there are other CAs using Entrust which have an issue, then I would
>>recommend that they either call the support service from Entrust or
>>their OCSP vendor to have the issue addressed.
>>-----Original Message-----
>>From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>On Behalf Of Steve Roylance
>>Sent: Friday, May 24, 2013 6:17 AM
>>To: Gervase Markham
>>Cc: public at cabforum.org
>>Subject: Re: [cabfpub] Ballot 100: Extend Deadline - OCSP Good Response
>>Hi Gerv,
>>I think you'll find that most major CAs who are active in the CABForum
>>should be OK as the warning came well in advance.  It's only where SubCAs
>>are involved where there tends to be an issue.   This is why I wanted to
>>reach out to people offering s/w services for Sub CA management last
>>year to get this information before setting deadlines that were
>>We know that Microsoft CA 2003 will not be compatible as OCSP was only
>>introduced with Server 2008. So SubCAs that use this need to upgrade to
>>get OCSP at all, never mind about OCSP database based responses.   But
>>even if they upgrade to Server 2008, or 2008R2, or 2013 then ADCS doesn't
>>yet support database based OCSP responses.    This list alone represents
>>large %age of the community out there.  Tag on to that the fact that
>>EJBC and Corestreet don't support and you end up with quite a few who
>>need to
>>take action.   I happen to know Ascertia supports but don't know about
>>Entrust yet.
>>Does this help your decision?
>>Feel free to let me know if you want a quick call.
>>On 24/05/2013 09:24, "Gervase Markham" <gerv at mozilla.org> wrote:
>>>On 23/05/13 21:19, Ben Wilson wrote:
>>>> EFFECTIVE IMMEDIATELY, in order to allow third party vendors of OCSP
>>>> responders to enable their software to support the requirement, we
>>>Before voting on this, can each CA tell us which OCSP server vendor
>>>they use (or if they have written it in house) and what info they have
>>>from that vendor about their timeframe for supporting this requirement?
>>>Public mailing list
>>>Public at cabforum.org
>>Public mailing list
>>Public at cabforum.org

More information about the Public mailing list