[cabfpub] Revocation Information

Rick Andrews Rick_Andrews at symantec.com
Wed Sep 24 19:51:21 UTC 2014


These are the answers for Symantec:

1) Yes, although in some cases we've issued both end-entities and intermediates from the same root or intermediate CA.
2) Yes, CRLs. We provide OCSP too. We always provide both.
3) No, but thanks for asking.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Tuesday, September 23, 2014 3:35 AM
Subject: [cabfpub] Revocation Information

Hi everyone,

At the face-to-face in Beijing, we talked out our new plan for revocation, and specifically OneCRL, our plan to aggregate revocation information for all non-leaf certificates (and perhaps some others) into a single source which Firefox would then download regularly, probably daily.

I had three questions for the CAs in the group, although there was not time to have a long discussion about them then, so I am presenting them here.

They are:

1) If we asked you to provide a set of URLs which together provided revocation information for all the non-EE certificates in hierarchies which chained up to a root we trust, could you do that?

2) Would all those URLs be URLs to CRLs? (I.e., to reverse the question, are there any intermediate certs for which you only provide revocation info via OCSP?)

3) Would you need some of that set of URLs to be secret (i.e. revealed to Mozilla, but you would prefer Mozilla not to reveal them to others)?
If so, why?

I expect the answers from all CAs to be Yes, Yes and No, so if your answer as a CA would be something else, please speak up :-)

We would want to build a system to make it easy for CAs to provide this information on an ongoing basis, but the discussion of how we do that is out of scope for the moment.

Public mailing list
Public at cabforum.org

More information about the Public mailing list