[cabfpub] OCSP Requirement for Root CA

Jeremy Rowley jeremy.rowley at digicert.com
Thu Jan 14 02:43:02 UTC 2016

That'd be interesting.  Is there a use case for it? 


I don't see any reason it couldn't be done that way assuming you still have
an OCSP response that complies with 4.9.10. 


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Peter Bowen
Sent: Wednesday, January 13, 2016 1:49 PM
To: Ryan Sleevi; Myers, Kenneth (10421); Ben Wilson; public at cabforum.org
Subject: Re: [cabfpub] OCSP Requirement for Root CA


On Jan 13, 2016, at 10:15 AM, Ryan Sleevi <sleevi at google.com
<mailto:sleevi at google.com> > wrote:

On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <ben.wilson at digicert.com
<mailto:ben.wilson at digicert.com> > wrote:

Is the requirement really clear?  Some browsers don't check OCSP for
intermediates and use CRLs instead. 


So? The BRs themselves are clear it's a requirement. I mean, if we want to
change to discuss that practical reality, we certainly can, but we should at
least honor the rules as written.


Section 4.9.10 makes that clear. item c also makes this clear.


It seems pretty clear to me.  


If a CA signs a certificate with CA:True in basicConstraints, then it must
issue CRLs.


If a CA issues certificates covered by the BRs (either subscriber
certificates or CA cross-certificates), then it must have an associated OCSP


I think it is allowable that a CA that issues both kinds of certs
(subscriber and CA) can issue CRLs with an IDP extension that indicates that
the CRL only covers CA certs.


Does this sound right?




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160114/04e176cf/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160114/04e176cf/attachment-0001.p7s>

More information about the Public mailing list