[cabfpub] insanity::pkix documentation

Ryan Sleevi sleevi at google.com
Wed Oct 9 13:27:36 MST 2013


On Wed, Oct 9, 2013 at 1:03 PM, Rick Andrews <Rick_Andrews at symantec.com>wrote:

> Gerv,
>
> Thanks for sending this. The only item that gave me pause was the note
> about no support for CRLs, and the sentence: "The CABForum Extended
> Validation guidelines now require OCSP support, so Firefox no longer needs
> to process CRLs for EV certificates."
>
> The EV Guidelines today require OCSP support (inherited from the BRs) but
> isn't it possible that there are some EV and non-EV certs out there today
> without an AIA pointer that were issued before the relevant requirements
> made OCSP mandatory? We (Symantec) haven't issued any such certs, but I
> thought others might have.
>
> -Rick
>

Hi Rick,

Luckily, this shouldn't be a concern for anyone who is following the EV
Guidelines.

EV Guidelines 1.0 required (in Section 26) that CAs MUST support an OCSP
capability for Subscriber Certificates that are issued after Dec 31, 2010.

Since the maximum validity period of an EV certificate SHALL NOT exceed
twenty seven months (Section 8.a), we can rest assured that ALL EV
certificates MUST have an OCSP capability.

Please see https://cabforum.org/EV_Certificate_Guidelines.pdf for the
historical context.

Of course, if any CA disagrees, I'm sure the Root Program Operators would
be very interested in this non-compliance. Glad to hear that Symantec is
following the EV guidelines.

Cheers,
Ryan


>
> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Gervase Markham
> > Sent: Wednesday, October 09, 2013 12:15 PM
> > To: CABFPub
> > Subject: [cabfpub] insanity::pkix documentation
> >
> > Hi everyone,
> >
> > At the face-to-face, people asked for documentation on insanity::pkix.
> > I hope the attached goes some way to meeting that need. Note that it's
> > a
> > 0.1 draft; it is being circulated for information and in the hope that
> > it helps.
> >
> > The code can be found here:
> > https://hg.mozilla.org/users/brian_briansmith.org/certverifier
> >
> > It's not the very latest, but it should give you a good idea. Also see
> > Mozilla bug 878932 and related bugs.
> > https://bugzilla.mozilla.org/show_bug.cgi?id=878932
> >
> > Gerv
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131009/530c5d03/attachment-0001.html 


More information about the Public mailing list