[cabfpub] Question raised during CABF call today

Rick Andrews Rick_Andrews at symantec.com
Thu Nov 21 17:56:46 UTC 2013

Tom, Geoff, Gerv,

Here's the question I raised on the call. I'd really appreciate it if you could track down the answers for your respective platforms and share the answers with the CABF list.

Officially, only SHA-1 is supported in OCSP today (RFC 2560), and support for OCSP algorithm agility (RFC6277) might be limited. What is your plan about OCSP requests and responder certificates with SHA-1?

[Kelvin Yiu responded] We expect OCSP certificates and responses would signed with SHA2. Doesn't RFC 6277 requires support for at least RSA with SHA 256 in addition to RSA with SHA1? Are you aware of any OCSP client that do not support SHA256?

I'd like to understand if/when browser clients will stop using SHA-1 in OCSP requests, and when all supported platforms did/will support full use of SHA-256 in OCSP responses (in the signature of the response, and the signature of the cert that signed the response).

I'd also like to ask other CAs if they have full support for RFC6277. My hunch is that some don't support it, and can't easily support it (at least those CAs that outsource OCSP software and had difficulty complying with the "don't return a valid status for a cert you never issued" ballot).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131121/dcd1db5b/attachment-0002.html>

More information about the Public mailing list