[cabfpub] OCSP Requirement for Root CA

Peter Bowen pzb at amzn.com
Wed Jan 13 13:48:48 MST 2016


On Jan 13, 2016, at 10:15 AM, Ryan Sleevi <sleevi at google.com> wrote:
> On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>> wrote:
> Is the requirement really clear?  Some browsers don't check OCSP for intermediates and use CRLs instead. 
> 
> So? The BRs themselves are clear it's a requirement. I mean, if we want to change to discuss that practical reality, we certainly can, but we should at least honor the rules as written.
> 
> Section 4.9.10 makes that clear. 7.1.2.2 item c also makes this clear.

It seems pretty clear to me.  

If a CA signs a certificate with CA:True in basicConstraints, then it must issue CRLs.

If a CA issues certificates covered by the BRs (either subscriber certificates or CA cross-certificates), then it must have an associated OCSP responder.

I think it is allowable that a CA that issues both kinds of certs (subscriber and CA) can issue CRLs with an IDP extension that indicates that the CRL only covers CA certs.

Does this sound right?

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160113/5a765a92/attachment.html 


More information about the Public mailing list