[cabfpub] Revocation Information

i-barreira at izenpe.net i-barreira at izenpe.net
Thu Sep 25 07:16:10 UTC 2014

Gerv, in case you´re interested, Izenpe answers are also yes, yes, and no

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Rick Andrews
Enviado el: miércoles, 24 de septiembre de 2014 21:51
Para: Gervase Markham; CABFPub
Asunto: Re: [cabfpub] Revocation Information


These are the answers for Symantec:

1) Yes, although in some cases we've issued both end-entities and intermediates from the same root or intermediate CA.
2) Yes, CRLs. We provide OCSP too. We always provide both.
3) No, but thanks for asking.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Tuesday, September 23, 2014 3:35 AM
Subject: [cabfpub] Revocation Information

Hi everyone,

At the face-to-face in Beijing, we talked out our new plan for revocation, and specifically OneCRL, our plan to aggregate revocation information for all non-leaf certificates (and perhaps some others) into a single source which Firefox would then download regularly, probably daily.

I had three questions for the CAs in the group, although there was not time to have a long discussion about them then, so I am presenting them here.

They are:

1) If we asked you to provide a set of URLs which together provided revocation information for all the non-EE certificates in hierarchies which chained up to a root we trust, could you do that?

2) Would all those URLs be URLs to CRLs? (I.e., to reverse the question, are there any intermediate certs for which you only provide revocation info via OCSP?)

3) Would you need some of that set of URLs to be secret (i.e. revealed to Mozilla, but you would prefer Mozilla not to reveal them to others)?
If so, why?

I expect the answers from all CAs to be Yes, Yes and No, so if your answer as a CA would be something else, please speak up :-)

We would want to build a system to make it easy for CAs to provide this information on an ongoing basis, but the discussion of how we do that is out of scope for the moment.

Public mailing list
Public at cabforum.org
Public mailing list
Public at cabforum.org

More information about the Public mailing list