[cabfpub] BR clarification re: test certificates

Ryan Sleevi sleevi at google.com
Mon Apr 17 14:59:24 UTC 2017

On Mon, Apr 17, 2017 at 10:05 AM, Gervase Markham <gerv at mozilla.org> wrote:

> On 13/04/17 19:26, Ryan Sleevi via Public wrote:
> > 5) CRLs and OCSP responses MUST return the same revocation status
> > information (presumably, either in Section 2.1 or Section 4.10.1 /
> 4.10.2)
> That sounds like a difficult coordination problem to do strictly. Would
> it need to say "once more than X time has elapsed since the revocation
> was first published"?

It may be useful to state why you believe it's difficult.

I suspect your concern is related to the fact that, for subscriber
certificates, there is no stipulation upon when the CA must publish its CRL
(Section 4.9.7) or OCSP response (Section 4.9.10). There is for subordinate
CA certificates (within 24 hours of revocation, also Section 4.9.7 and
Section 4.9.10).

So on one extreme, we know that the absolute upper-bound that it's
acceptable to update its information is 10 days.

At the same time, Section states that the CA SHALL revoke a
certificate within 24 hours for those events. Section 9.6.1 requires that
the CA maintain a 24x7 publicly-accessible Repository with _current_
information regarding the status (valid or revoked) of all unexpired
certificates for sub-CAs (Section 9.6.1). For the CA itself, it's required
that the CA SHALL maintain an online 24/7 Repository that application
software can use to automatically check the _current_ status of all
unexpired Certificates issued by the CA (Section 4.10.2)

So using a different read, OCSP and CRL responses MUST be immediately
available after revocation, otherwise, it's not _current_ status.
Similarly, if the OCSP and CRL responses disagree, then one of them is not
_current_ information.

Given that several CA members have suggested that OCSP stapling is less
secure than revocation checking, because it allows for protecting "more"
users, it would seem consistent that these CAs view the publication of CRLs
and OCSP responses as an immediate requirement, that the act of revocation
happen within 24 hours of a problem report, and that there's no difficulty
in coordinating the publication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170417/9393bdd3/attachment-0003.html>

More information about the Public mailing list