[cabfpub] OCSP Requirement for Root CA

Geoff Keating geoffk at apple.com
Mon Jan 11 21:32:43 UTC 2016

> On 11 Jan 2016, at 11:19 AM, Myers, Kenneth (10421) <kenneth.myers at protiviti.com> wrote:
> Good afternoon everyone,
> I have a quick question, must a Root CA operate an OCSP for intermediate certificates or is it only required for intermediate and end entity issuing CAs?

Your question is probably not the one you meant to ask, but the short answer is yes: intermediate certificates must have OCSP even if they are never used to issue other certificates themselves.  But why would you create an intermediate certificate that you will never use?

You might be thinking that a ‘Subordinate CA’ in the BRs means it is run by a separate entity, but it doesn’t mean that; any intermediate certificate creates a CA and all CAs are either Root or Subordinate.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160111/39fd3be5/attachment-0001.p7s>

More information about the Public mailing list