[cabfpub] OCSP Requirement for Root CA

Ben Wilson ben.wilson at digicert.com
Wed Jan 13 18:03:11 UTC 2016

Is the requirement really clear?  Some browsers don't check OCSP for intermediates and use CRLs instead.   I can't remember our exact discussion of this, but at one time didn't we  determine that  OCSP for intermediates was a "SHOULD" not a "MUST" and then we changed it to a "MUST"?  (The BRs grant an exception if you implement OCSP stapling, but how does that align with the practical aspects of providing and performing certificate validation / revocation checking? 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating
Sent: Monday, January 11, 2016 2:33 PM
To: Myers, Kenneth (10421) <kenneth.myers at protiviti.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] OCSP Requirement for Root CA

> On 11 Jan 2016, at 11:19 AM, Myers, Kenneth (10421) <kenneth.myers at protiviti.com> wrote:
> Good afternoon everyone,
> I have a quick question, must a Root CA operate an OCSP for intermediate certificates or is it only required for intermediate and end entity issuing CAs?

Your question is probably not the one you meant to ask, but the short answer is yes: intermediate certificates must have OCSP even if they are never used to issue other certificates themselves.  But why would you create an intermediate certificate that you will never use?

You might be thinking that a ‘Subordinate CA’ in the BRs means it is run by a separate entity, but it doesn’t mean that; any intermediate certificate creates a CA and all CAs are either Root or Subordinate.

More information about the Public mailing list