[cabfpub] OCSP Requirement for Root CA

Myers, Kenneth (10421) kenneth.myers at protiviti.com
Fri Jan 15 10:51:42 MST 2016 

Hi Jeremy,

 

The use case is a Root CA that issues long term CA certificates to a limited
number of organizations who operate their own issuing CAs independent from
the same infrastructure of the root.

 

For example, the Federal Government operates a Trust Anchor and issues 10
year subordinate certificates to a limited number of agencies (around 10).
Those organizations operate their own intermediate and issuing CAs. The
issuing CAs are required to have OCSP. All operate under the same CP but
have different organizational CPS. OCSP is not a requirement of the root as
long as we have a highly available HTTP CRL and because of the low issuance
volume it is not big or will get big based on this model.

 

 

Ken

 

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Wednesday, January 13, 2016 21:43
To: Peter Bowen <pzb at amzn.com>; Ryan Sleevi <sleevi at google.com>; Myers,
Kenneth (10421) <kenneth.myers at protiviti.com>; Ben Wilson
<ben.wilson at digicert.com>; public at cabforum.org
Subject: RE: [cabfpub] OCSP Requirement for Root CA

 

That'd be interesting.  Is there a use case for it? 

 

I don't see any reason it couldn't be done that way assuming you still have
an OCSP response that complies with 4.9.10. 

 

From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Wednesday, January 13, 2016 1:49 PM
To: Ryan Sleevi; Myers, Kenneth (10421); Ben Wilson; public at cabforum.org
<mailto:public at cabforum.org> 
Subject: Re: [cabfpub] OCSP Requirement for Root CA

 

On Jan 13, 2016, at 10:15 AM, Ryan Sleevi <sleevi at google.com
<mailto:sleevi at google.com> > wrote:

On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <ben.wilson at digicert.com
<mailto:ben.wilson at digicert.com> > wrote:

Is the requirement really clear?  Some browsers don't check OCSP for
intermediates and use CRLs instead. 

 

So? The BRs themselves are clear it's a requirement. I mean, if we want to
change to discuss that practical reality, we certainly can, but we should at
least honor the rules as written.

 

Section 4.9.10 makes that clear. 7.1.2.2 item c also makes this clear.

 

It seems pretty clear to me.  

 

If a CA signs a certificate with CA:True in basicConstraints, then it must
issue CRLs.

 

If a CA issues certificates covered by the BRs (either subscriber
certificates or CA cross-certificates), then it must have an associated OCSP
responder.

 

I think it is allowable that a CA that issues both kinds of certs
(subscriber and CA) can issue CRLs with an IDP extension that indicates that
the CRL only covers CA certs.

 

Does this sound right?

 

Thanks,

Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160115/103f73ac/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9259 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160115/103f73ac/attachment-0001.bin

More information about the Public mailing list