[cabfpub] OCSP Requirement for Root CA

Myers, Kenneth (10421) kenneth.myers at protiviti.com
Mon Jan 11 19:19:37 UTC 2016

Good afternoon everyone,

I have a quick question, must a Root CA operate an OCSP for intermediate certificates or is it only required for intermediate and end entity issuing CAs? Or in other words, must all CAB Forum compliant CAs operate an OCSP or only selected ones? It is not clear in the BRs which CAs must operate an OCSP.

4.9.10. On‐line Revocation Checking Requirements says

…the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.
For the status of Subscriber Certificates…
For the status of Subordinate CA Certificates…”

In the BR Cert profiles, subordinate CA certs and end-entity certs MUST have an AIA (OCSP) extension, and they MAY have a CDP (CRL) extension. A subordinate CA having an OCSP in its AIA would denote that the issuing CA of that subordinate operates an OCSP.

We are looking at whether our Root CA must operate an OCSP for our intermediate CA certificates to be BR compliant.

Kenneth Myers
Supporting GSA Federal PKI Management Authority
Protiviti | Government Solutions | Manager
DC             | +1 571-469-9038 | Kenneth.Myers at GSA.gov<mailto:Kenneth.Myers at GSA.gov>
Alexandria  | +1 571-366-6120 | Kenneth.Myers at Protiviti.com<mailto:Kenneth.Myers at Protiviti.com>
Connect: LinkedIn<https://www.linkedin.com/in/kennethmy> | Thought Leadership: Protiviti.com<http://www.protiviti.it/en-US/Pages/Insights.aspx>

NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160111/7fba09c7/attachment-0002.html>

More information about the Public mailing list