[cabfpub] OCSP Requirement for Root CA

Peter Bowen pzb at amzn.com
Wed Jan 13 20:48:48 UTC 2016

On Jan 13, 2016, at 10:15 AM, Ryan Sleevi <sleevi at google.com> wrote:
> On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>> wrote:
> Is the requirement really clear?  Some browsers don't check OCSP for intermediates and use CRLs instead. 
> So? The BRs themselves are clear it's a requirement. I mean, if we want to change to discuss that practical reality, we certainly can, but we should at least honor the rules as written.
> Section 4.9.10 makes that clear. item c also makes this clear.

It seems pretty clear to me.  

If a CA signs a certificate with CA:True in basicConstraints, then it must issue CRLs.

If a CA issues certificates covered by the BRs (either subscriber certificates or CA cross-certificates), then it must have an associated OCSP responder.

I think it is allowable that a CA that issues both kinds of certs (subscriber and CA) can issue CRLs with an IDP extension that indicates that the CRL only covers CA certs.

Does this sound right?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160113/5a765a92/attachment-0003.html>

More information about the Public mailing list