[cabfpub] FW: Ballot 100: Extend Deadline - OCSP Good Response

Steve Roylance steve.roylance at globalsign.com
Fri May 24 15:04:08 UTC 2013


Forward to the Public list adding some clarification from Entrust and
their support to allow more time.


On 24/05/2013 15:12, "Bruce Morton" <bruce.morton at entrust.com> wrote:

>As Entrust is not a member, I don't think I can send to the public list.
>Please feel free to send my response out to the public list. Also, please
>note that Entrust CA software does not provide OCSP responses, so all
>responses must be done from OCSP software which is integrated.
>
>I would agree that the time scale is too aggressive. I think the
>compatibility should have been investigated before the date was picked.
>From what I see we have some CAs that have control over their software
>and some CAs which purchase software. In the second case, you may have to
>get two software systems to integrate and then get them deployed. It can
>take some time.
>
>Bruce.
>
>-----Original Message-----
>From: Steve Roylance [mailto:steve.roylance at globalsign.com]
>Sent: Friday, May 24, 2013 9:49 AM
>To: Bruce Morton; Gervase Markham
>Cc: questions at cabforum.org
>Subject: Re: [cabfpub] Ballot 100: Extend Deadline - OCSP Good Response
>
>Thanks Bruce.
>
>Would you therefore also agree the current timescale is too aggressive
>for non CABForum members not up to speed on this topic and another year
>would help as Browsers flow down the needs via their root programs to a
>wider audience?
>
>I notice the reply didn't go public, so I'll keep the list as is unless
>you feel like sending out again.
>
>Steve
>
>
>
>On 24/05/2013 14:29, "Bruce Morton" <bruce.morton at entrust.com> wrote:
>
>>I just wanted to follow up on Steve's mention of Entrust below.
>>
>>Entrust PKI software does not issue OCSP responses. The software needs
>>to work with an OCSP system. In some cases there may need to be
>>integration between Entrust PKI and the OCSP system.
>>
>>For our CA we use Axway Validation Authority for OCSP. We are working
>>to integrate Entrust PKI and Axway. I do not think this integration
>>will be completed by 1 August 2013.
>>
>>If there are other CAs using Entrust which have an issue, then I would
>>recommend that they either call the support service from Entrust or
>>their OCSP vendor to have the issue addressed.
>>
>>Bruce.
>>
>>-----Original Message-----
>>From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>On Behalf Of Steve Roylance
>>Sent: Friday, May 24, 2013 6:17 AM
>>To: Gervase Markham
>>Cc: public at cabforum.org
>>Subject: Re: [cabfpub] Ballot 100: Extend Deadline - OCSP Good Response
>>
>>Hi Gerv,
>>
>>I think you'll find that most major CAs who are active in the CABForum
>>should be OK as the warning came well in advance.  It's only where SubCAs
>>are involved where there tends to be an issue.   This is why I wanted to
>>reach out to people offering s/w services for Sub CA management last
>>year to get this information before setting deadlines that were
>>unrealistic.
>>
>>We know that Microsoft CA 2003 will not be compatible as OCSP was only
>>introduced with Server 2008. So SubCAs that use this need to upgrade to
>>get OCSP at all, never mind about OCSP database based responses.   But
>>even if they upgrade to Server 2008, or 2008R2, or 2013 then ADCS doesn't
>>yet support database based OCSP responses.    This list alone represents
>>a
>>large %age of the community out there.  Tag on to that the fact that
>>EJBC and Corestreet don't support and you end up with quite a few who
>>need to
>>take action.   I happen to know Ascertia supports but don't know about
>>Entrust yet.
>>
>>Does this help your decision?
>>
>>Feel free to let me know if you want a quick call.
>>
>>Steve
>>
>>
>>
>>
>>
>>On 24/05/2013 09:24, "Gervase Markham" <gerv at mozilla.org> wrote:
>>
>>>On 23/05/13 21:19, Ben Wilson wrote:
>>>> EFFECTIVE IMMEDIATELY, in order to allow third party vendors of OCSP
>>>> responders to enable their software to support the requirement, we
>>>
>>>Before voting on this, can each CA tell us which OCSP server vendor
>>>they use (or if they have written it in house) and what info they have
>>>from that vendor about their timeframe for supporting this requirement?
>>>
>>>Gerv
>>>_______________________________________________
>>>Public mailing list
>>>Public at cabforum.org
>>>https://cabforum.org/mailman/listinfo/public
>>
>>
>>_______________________________________________
>>Public mailing list
>>Public at cabforum.org
>>https://cabforum.org/mailman/listinfo/public
>
>





More information about the Public mailing list