[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation
Rob Stradling
rob.stradling at comodo.com
Fri Sep 19 19:07:51 UTC 2014
On 19/09/14 19:40, Brian Smith wrote:
<snip>
>> IINM, in Chrome's case CRLSets cover all EV certs, so there wouldn't be much
>> point making Stapled OCSP a prerequisite for getting the EV indicator.
>
> I think that is debatable. Part of the purpose of requiring a stapled
> OCSP response is making up for the limitations of CRLSets. In Chrome's
> case, making a stapled OCSP response mandatory for EV would benefit
> them because they could remove the EV enries from their CRLSet.
> Reducing the size of the CRLSet and/or making room for more non-EV
> entries would benefit them, AFAICT.
OK, I see where you're coming from, but I still think it's too early to
mandate OCSP Stapling for EV.
Reducing the size of the CRLSet (or, better still, increasing the % of
certs covered by the CRLSet) sounds like a good idea.
>>> (The only useful thing about EV is its effect on encouraging CT adoption.)
>>
>> Really?
>
> Yes.
Well, at least we agree that encouraging CT adoption is a good thing. :-)
>>> That's a private matter between the CAs and Google.
>>
>> It ceases to be a private matter if we accept that it impacts the BRs/EVGs.
>
> That's circular reasoning. I'm saying the BRs don't need to be changed
> because it is a private matter. You are saying it isn't a private
> matter because the BRs need to be changed.
I said "if" deliberately.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list