[cabfpub] OCSP Response Signing Certificate Validity Period with No-Check extension

Ryan Sleevi sleevi at google.com
Wed Sep 18 19:12:03 UTC 2013


Assuming (perhaps incorrectly) that you may be using this cert for EV and
BR certs:

Section 9.4 of the Baseline Requirements v1.1.6 does not describe a
mandatory validity period for subordinate CA certificates. Neither does
Section 2 of Appendix B.

Provided the certificate matches the requirements enumerated in Appendixes
A and B (which are normative) and all those of Section 9 ("Certificate
Content and Profile"), it should be fine.

For EV, Section 9 / Section 9.4 of EV Guidelines 1.4.3 equally do not
specify a mandatory validity period for subordinate CA certificates.


Because of this, the guidance of Section 4.2.2.2.1 of RFC 2560 / RFC 6960
should apply.

As noted in those documents, "CAs may choose to issue this type of
certificate with a very short lifetime and renew it frequently."

Note that Root Programs may have separate requirements, and you should
consult the Root Program managers for further feedback. A few CC'd. At this
time, I'm not aware of any Root Programs having mandatory requirements on
delegated OCSP signers. Perhaps that should be something for a future
Baseline Requirements update.



On Tue, Sep 17, 2013 at 10:51 PM, Chema López González <
clopez at firmaprofesional.com> wrote:

> Patrick, unfortunately, I didn't get an answer at all, but I'm confident
> I'll get it sooner or later!
>
>
> On Tue, Sep 17, 2013 at 7:17 PM, Patrick Tronnier <
> Patrick.Tronnier at oati.net> wrote:
>
>> Chema,****
>>
>> ** **
>>
>> Did you get a response to your question on the validity period of the
>> OCSP signing certificate?****
>>
>> With kind regards,****
>>
>> ** **
>>
>> Patrick Tronnier****
>>
>> Principal Security Architect &****
>>
>> Sr. Director of Quality Assurance****
>>
>> Phone: 763.201.2000 ****
>>
>> Fax: 763.201.5333 ****
>>
>> Direct Line: 763.201.2052****
>>
>> Open Access Technology International, Inc. ****
>>
>> 3660 Technology Drive NE, Minneapolis, MN 55418 ****
>>
>> ** **
>>
>> CONFIDENTIAL INFORMATION: This email and any attachment(s) contain
>> confidential and/or proprietary information of Open Access Technology
>> International, Inc. Do not copy or distribute without the prior written
>> consent of OATI. If you are not a named recipient to the message, please
>> notify the sender immediately and do not retain the message in any form,
>> printed or electronic.****
>>
>> ** **
>>
>> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> *On Behalf Of *Chema López González
>> *Sent:* Wednesday, September 04, 2013 4:08 AM
>> *To:* public at cabforum.org
>> *Subject:* [cabfpub] OCSP Response Signing Certificate Validity Period
>> with No-Check extension****
>>
>> ** **
>>
>> Dear all,****
>>
>> ** **
>>
>> We, Firmaprofesional, are in the process of enable EV Certificate check
>> in Mozilla (among others) and an issue has raised.****
>>
>> ** **
>>
>> Our OCSP Response Signing Certificate does not have enable the No-Check
>> extension, so we need to issue a new  OCSP Response Signing Certificate. Is
>> there any (mandatory) limitation on the validity period of these
>> certificates, since there is no possibility to revoke then (al least, to
>> ask for its status)?****
>>
>> ** **
>>
>> Thanks in advance,****
>>
>>
>> ****
>>
>> ** **
>>
>> -- ****
>>
>> [image: AC Firmaprofesional S.A.] <http://www.firmaprofesional.com/>****
>>
>> *Chema López González
>>
>> AC Firmaprofesional S.A.*****
>>
>>
>> Av. Torre Blanca, 57.
>> Edificio ESADECREAPOLIS - 1B13****
>>
>> 08173 Sant Cugat del Vallès. Barcelona.****
>>
>> Tel: 93.477.42.45 / 666.429.224****
>>
>> ** **
>>
>> El contenido de este mensaje y de sus anexos es confidencial. Si no es el
>> destinatario, le hacemos saber que está prohibido utilizarlo, divulgarlo
>> y/o copiarlo sin tener la autorización correspondiente. Si ha recibido este
>> mensaje por error, le agradeceríamos que lo haga saber inmediatamente al
>> remitente y que proceda a destruir el mensaje.****
>>
>
>
>
> --
> [image: AC Firmaprofesional S.A.] <http://www.firmaprofesional.com/>
>
> *Chema López González
>
> AC Firmaprofesional S.A.
> *
>
>
> Av. Torre Blanca, 57.
> Edificio ESADECREAPOLIS - 1B13
>
> 08173 Sant Cugat del Vallès. Barcelona.
> Tel: 93.477.42.45 / 666.429.224
>
> El contenido de este mensaje y de sus anexos es confidencial. Si no es el
> destinatario, le hacemos saber que está prohibido utilizarlo, divulgarlo
> y/o copiarlo sin tener la autorización correspondiente. Si ha recibido este
> mensaje por error, le agradeceríamos que lo haga saber inmediatamente al
> remitente y que proceda a destruir el mensaje.
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130918/2765661d/attachment-0003.html>


More information about the Public mailing list