[cabfpub] OCSP Requirement for Root CA

Ryan Sleevi sleevi at google.com
Wed Jan 13 18:15:14 UTC 2016


On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <ben.wilson at digicert.com>
wrote:

> Is the requirement really clear?  Some browsers don't check OCSP for
> intermediates and use CRLs instead.


So? The BRs themselves are clear it's a requirement. I mean, if we want to
change to discuss that practical reality, we certainly can, but we should
at least honor the rules as written.

Section 4.9.10 makes that clear. 7.1.2.2 item c also makes this clear.


>  I can't remember our exact discussion of this, but at one time didn't we
> determine that  OCSP for intermediates was a "SHOULD" not a "MUST" and then
> we changed it to a "MUST"?
>

That's not captured in the BRs. That's not to say it couldn't be, but
that's not what it is in the BRs at present.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160113/b87e9dc7/attachment-0003.html>


More information about the Public mailing list