[cabfpub] Revocation Information

Jeremy.Rowley jeremy.rowley at digicert.com
Thu Sep 25 14:55:49 MST 2014


Same with DigiCert

On 9/25/2014 1:16 AM, i-barreira at izenpe.net wrote:
> Gerv, in case you´re interested, Izenpe answers are also yes, yes, and no
>
>
> Iñigo Barreira
> Responsable del Área técnica
> i-barreira at izenpe.net
> 945067705
>
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.
>
> -----Mensaje original-----
> De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Rick Andrews
> Enviado el: miércoles, 24 de septiembre de 2014 21:51
> Para: Gervase Markham; CABFPub
> Asunto: Re: [cabfpub] Revocation Information
>
> Gerv,
>
> These are the answers for Symantec:
>
> 1) Yes, although in some cases we've issued both end-entities and intermediates from the same root or intermediate CA.
> 2) Yes, CRLs. We provide OCSP too. We always provide both.
> 3) No, but thanks for asking.
>
> -Rick
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
> Sent: Tuesday, September 23, 2014 3:35 AM
> To: CABFPub
> Subject: [cabfpub] Revocation Information
>
> Hi everyone,
>
> At the face-to-face in Beijing, we talked out our new plan for revocation, and specifically OneCRL, our plan to aggregate revocation information for all non-leaf certificates (and perhaps some others) into a single source which Firefox would then download regularly, probably daily.
>
> I had three questions for the CAs in the group, although there was not time to have a long discussion about them then, so I am presenting them here.
>
> They are:
>
> 1) If we asked you to provide a set of URLs which together provided revocation information for all the non-EE certificates in hierarchies which chained up to a root we trust, could you do that?
>
> 2) Would all those URLs be URLs to CRLs? (I.e., to reverse the question, are there any intermediate certs for which you only provide revocation info via OCSP?)
>
> 3) Would you need some of that set of URLs to be secret (i.e. revealed to Mozilla, but you would prefer Mozilla not to reveal them to others)?
> If so, why?
>
>
> I expect the answers from all CAs to be Yes, Yes and No, so if your answer as a CA would be something else, please speak up :-)
>
> We would want to build a system to make it easy for CAs to provide this information on an ongoing basis, but the discussion of how we do that is out of scope for the moment.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> .
>



More information about the Public mailing list