[cabfpub] OCSP Requirement for Root CA
Jeremy Rowley
jeremy.rowley at digicert.com
Thu Jan 14 02:43:02 UTC 2016
That'd be interesting. Is there a use case for it?
I don't see any reason it couldn't be done that way assuming you still have
an OCSP response that complies with 4.9.10.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Peter Bowen
Sent: Wednesday, January 13, 2016 1:49 PM
To: Ryan Sleevi; Myers, Kenneth (10421); Ben Wilson; public at cabforum.org
Subject: Re: [cabfpub] OCSP Requirement for Root CA
On Jan 13, 2016, at 10:15 AM, Ryan Sleevi <sleevi at google.com
<mailto:sleevi at google.com> > wrote:
On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <ben.wilson at digicert.com
<mailto:ben.wilson at digicert.com> > wrote:
Is the requirement really clear? Some browsers don't check OCSP for
intermediates and use CRLs instead.
So? The BRs themselves are clear it's a requirement. I mean, if we want to
change to discuss that practical reality, we certainly can, but we should at
least honor the rules as written.
Section 4.9.10 makes that clear. 7.1.2.2 item c also makes this clear.
It seems pretty clear to me.
If a CA signs a certificate with CA:True in basicConstraints, then it must
issue CRLs.
If a CA issues certificates covered by the BRs (either subscriber
certificates or CA cross-certificates), then it must have an associated OCSP
responder.
I think it is allowable that a CA that issues both kinds of certs
(subscriber and CA) can issue CRLs with an IDP extension that indicates that
the CRL only covers CA certs.
Does this sound right?
Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160114/04e176cf/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160114/04e176cf/attachment-0001.p7s>
More information about the Public
mailing list