[cabfpub] Profiling OCSP & CRLs

Mon Jul 10 17:48:28 UTC 2017

Based on the public discussion, here on the list and on the GitHub, and the
private discussions, both off-list and at the CA/Browser Forum F2F in
Berlin, I've attempted to update the draft to reflect the discussions.

To review the overall diff, with inline annotations,
https://github.com/sleevi/cabforum-docs/pull/2/files

To review the difference of those discussions, you can compare with
https://github.com/sleevi/cabforum-docs/compare/03d4055ef2a08ad4bdecf9aab42440da080b244b...3171d339a9b5ca1e57b77c5175c6ea853f4cf24c

Here's the summary form:
- From the discussion related to a target of 30/31 days for Delegated OCSP
Responders, it is clear that some CAs strongly prefer longer-lived
responder certificates, largely due to the operational challenges involved
with offline issuance scenarios. To balance that, based on the private
discussions had with several CAs regarding their infrastructure, I've
attempted to capture this in 4.9.1.2. In short, if a long-lived Delegated
OCSP Responder is misused or compromised, the revocation status of all
issued certificates is called into question, and since it's not possible to
recover from this scenario (such as within 30 days), the only mitigation
identified is to fully revoke the issuing CA certificate. This appears to
be the standard assumption for several CAs practicing these long-lived
responders, and hopefully aligns with their own operational security
practices.
- The response lifetime to a subordinate CA is dropped to 3 months (from
the existing, implied one year), based on the suggestion of Doug Beattie.
- To account for IOT scenarios raised by some members, the requirement to
pre-produce OCSP responses has been relaxed. If you're using a Delegated
OCSP Responder (which has a specific technical profile associated with it),
and its validity period is less than 31 days, CAs are exempt from the MUST
requirement. I'm curious how folks would feel if this date was tightened
further - perhaps to 15 days for the Responder - to best balance the risk
of an Internet-facing signing system versus the benefit of not requiring a
large number of responses. Personally, given the HSMs currently or pending
availability, I still strongly believe that pre-producing and distributing
responses across-the-board is the best security architecture, but I'm
willing to see some of that phased in over time.

>From the discussion, there were some broader points discussed, and from
some of the offline discussions, some rather surprising architecture
disclosures, so I'm curious on how best to express the following:

I had thought it clear that, under the current Baseline Requirements, all
Delegated OCSP Responder Private Keys were subject to the same requirements
as "CA Private Key" - that is, Sections 5.2, 6.1.1.1, and 6.2 absolutely
applied. Some CAs indicated that they did not share that interpretation -
for example, that it was acceptable to deploy the CA private key directly
to their CDN partners, or it was acceptable to maintain a copy of the
private key on the disk of the OCSP responder system. I'm curious, more
broadly, if the Forum members share that interpretation or have reason to
believe it's a desirable property, and if not, where might be appropriate
to best clarify this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170710/568dff61/attachment.html>