[Smcwg-public] CRL and / or OCSP
Stephen.Davidson at digicert.com
Tue Jun 14 21:07:21 UTC 2022
Thank you all for your detailed input at the CABF last week. I was really pleased at the progress we are making to resolve outstanding issues.
In the course of our discussions, a number of questions have been raised by both Certificate Consumers and Certificate Issuers relating to CRL and OCSP as described in Section 7.1.2. 3 (b). To summarise:
* It has been suggested that OCSP should be optional as in some cases it might present a privacy concern (where a CA could hypothetically track the opening of an email).
* It has equally been suggested that it may be sufficient to have support for either CRL or OCSP
* It was also pointed out that existing text did not allow multiple CDP
Martijn Katerbarg has kindly captured that discussion in a pull request, whose redline is shown here: https://github.com/cabforum/smime/pull/140/files. In short it allows (CRL and OCSP) or (CRL or OCSP) deployments by CAs issuing S/MIME.
I am highlighting this as at least one Root Store Program requires OCSP, so we seek clarity on whether the intent of that requirement applies to TLS only or to all leaf certificates. I know that another CABF WG has discussed a similar proposal, but it has not yet progressed to ballot.
I encourage members - particularly Certificate Consumers -- who have an opinion on the matter to be ready to discuss it on our next call.
Best regards, Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Smcwg-public