[cabfpub] Revocation Information

Gervase Markham gerv at mozilla.org
Fri Sep 26 11:08:13 UTC 2014

Hi Ryan,

On 23/09/14 18:04, Ryan Sleevi wrote:
> However, of more meaningful discussion is what happens for the hierarchy
> beneath that CA? We assume it is all private - indistinguishable from a
> wildcard cert, for example.

Your point is a valid one. I have not discussed this, but I think the
answer will probably have to be that we will fall back to live OCSP
checking for intermediate certs underneath an intermediate we detect as
technically constrained. (End-entity certs would get the same treatment
- look for short-lived or stapling, then fall back to live OCSP.)

So our code will need to be able to detect which certs count as
"technically constrained" so we can handle them differently.

> OCSP MultiStaple is an option, but are you sure you want to negotiate
> that with all clients - including the public internet?

As you hint, I don't think getting enterprises to universally deploy
multistaple is a sane option :-)


More information about the Public mailing list