[Servercert-wg] Aligning the BRs with existing Browser Requirements

Ryan Sleevi sleevi at google.com
Sat Oct 12 11:06:05 MST 2019

In the short time since sending this, I've already had someone point me to
another Root Program requirement that overrides or goes above and beyond
the BRs.

The requirements on OCSP for Subscriber certificates are updated to align
with the requirements placed by Microsoft:

   - The BRs allow for the omission of the OCSP responder, if and only if
   it's for a high-traffic FQDN (an undefined term in terms of degree), and if
   the CA contractually or technically enforces this.
   - Microsoft requires OCSP support in all end-entity certificates,
   regardless of the stapling status (
   - The BRs permit omitting OCSP responder URLs from intermediates if the
   server staples according to RFC4366. However, RFC 4366 does not allow
   stapling intermediate responses (that's RFC 6961, now obsoleted by RFC
   8446), so there was never a way a CA could legitimately comply with the
   provisions here in a way that permitted omission for intermediates.
   - This updates Section 4.9.11 to remove the contract language, Section to reflect it was never possible, and Section to
   reflect that Microsoft policy does not permit this, despite the BRs
   allowing it.

You can see that change in isolation at
or the overall set of changes continue to be available at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191012/c5093e7c/attachment.html>

More information about the Servercert-wg mailing list