[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Adam Langley agl at google.com
Wed Jul 24 15:09:36 UTC 2013


On Wed, Jul 24, 2013 at 9:44 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
> Ah, so something has changed.  Previously, you'd switched off Online
> OCSP lookups in all cases.

I think Chris is using Mac where OCSP checks are done for EV due to
platform behaviours on OS X.

On other platforms, a valid, current CRLSet will disable OCSP checks.
See line 90 of

http://src.chromium.org/viewvc/chrome/trunk/src/net/cert/cert_verify_proc.cc?revision=211347

> So IINM, Chrome today is very unlikely to use
> OCSP to check any EV certificate, and yet you want to remove EV
> indicators based on OCSP Responder behaviour?  This still puzzles me.

Without hard-fail OCSP, you're quite correct that this measure is not
especially important. I don't believe, off hand, that it materially
affects Chrome security.

I think you're reading Ryan's response as suggesting that we feel that
this measure is deeply important and that EV status is unreasonable
for CAs that don't implement it. I don't believe that was the
intention.

Rather, with a "no" vote, we're saying that a year (roughly) is a
reasonable amount of time to implement this. CAs have to correctly
perform a fairly technical task. They should have the technical
ability, in-house, to do something like this. Some might want to buy
outside software in order to use that ability more efficiently but
that doesn't mean that they don't have to meet the Baseline.

Separately, and generally, we're saying that the Baseline is important
and that CAs that fall below it risk measures including the removal of
EV status. Any actions will be proportionate, but CAs should expect to
meet the requirements in the Baseline.


Cheers

AGL



More information about the Public mailing list