[cabfpub] [cabfquest] Question concerning CAB Forum OCSP Requirments

Geoff Keating geoffk at apple.com
Tue Oct 28 19:57:07 UTC 2014

On 28 Oct 2014, at 2:40 am, Thomas Kopp <thomas.kopp at luxtrust.lu> wrote:

> Dear Ryan,
> Thanks for your explanation.
> However, we do understand why does CAB Forum imposes the “nocheck” for an authorized responder approach instead of leaving it at the CA’s discretion, as to whether they prefer covering OCSP responder certificates by a CRL or not?

You should not assume that client software will necessarily fall back to a CRL if the OCSP responder certificate has a self-signed OCSP response.  Client software may simply decide the validation of the OCSP response has failed and either 'soft fail' (assume the original certificate is valid) or 'hard fail' (assume the original certificate is invalid).

In both cases, since the previous OCSP validation has failed, the OCSP responder will likely flush that response from its cache immediately, and then re-fetch it next time that certificate's validation is requested.  Past (painful) experience shows this can lead to a 10x or more increase in load on the OCSP responder.

Alternatively, client software may assume that you meant to specify nocheck, and behave as if you did.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141028/40b991da/attachment-0001.p7s>

More information about the Public mailing list