[cabfpub] BR clarification re: test certificates

Ryan Sleevi sleevi at google.com
Thu Apr 13 18:26:32 UTC 2017


On Thu, Apr 13, 2017 at 2:19 PM, Curt Spann via Public <public at cabforum.org>
wrote:
>
> > * revoked = unexpired, and present in either/both of CRL and OCSP
> CES: Did you really intended for the ‘either/both’ instead of just ‘both'?
> I don’t think it would be a good idea to only have a certificate’s revoked
> status in one form the of the revocation data and not the other.
>

This mostly stems from the fact that 7.1.2.3 allows for omission of the
cRLDistributionPoints (Item b), but requires OCSP (Item c), unless the
server supports stapling.

7.1.2.2 requires the cRLDistributionPoints for sub-CAs (which can _also_ be
server certificates, since we don't restrict the subjectAltName on such
certificates), but also allows (strangely) the omission of OCSP for
stapling (I suppose it's presuming OCSP multi-staple)?

Happy to take a stab at correcting both of these via Ballot, since I
suspect the logical intent, as reflected in your question, is that:

1) CRLs MUST always be present on intermediates
2) OCSP MUST always be present on intermediates (or are we really
advocating for the terribad multi-staple?)
3) CRLs MAY be present on end-entity certificates
4) OCSP MUST be present on end-entity certificates, unless the server
supports stapling
5) CRLs and OCSP responses MUST return the same revocation status
information (presumably, either in Section 2.1 or Section 4.10.1 / 4.10.2)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170413/ce91d549/attachment-0003.html>


More information about the Public mailing list