[cabfpub] OCSP For Root CA

Myers, Kenneth (10421) kenneth.myers at protiviti.com
Mon Jan 11 19:41:38 UTC 2016


Sorry everyone, included the policy conflict section as well.

The confusion is due to the following in section 7.1.2.2 of V1.3.1 of the BR, which I interpret to mean the CDP is mandatory while the OCSP is the one that is potentially optional. I may not fully understand stapling, but thought it was a browser function and not a CA function.

7.1.2.2. Subordinate CA Certificate
b. cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL of the
CA's CRL service.
c. authorityInformationAccess
With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be
marked critical, and it MUST contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA's certificate (accessMethod =
1.3.6.1.5.5.7.48.2).
The HTTP URL of the Issuing CA's OCSP responder MAY be omitted, provided that the Subscriber "staples" the
OCSP response for the Certificate in its TLS handshakes [RFC4366].



Kenneth Myers
Supporting GSA Federal PKI Management Authority
Protiviti | Government Solutions | Manager
DC             | +1 571-469-9038 | Kenneth.Myers at GSA.gov<mailto:Kenneth.Myers at GSA.gov>
Alexandria  | +1 571-366-6120 | Kenneth.Myers at Protiviti.com<mailto:Kenneth.Myers at Protiviti.com>
Connect: LinkedIn<https://www.linkedin.com/in/kennethmy> | Thought Leadership: Protiviti.com<http://www.protiviti.it/en-US/Pages/Insights.aspx>

NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160111/d815c20b/attachment-0002.html>


More information about the Public mailing list