[cabfpub] OCSP Requirement for Root CA

Peter Bowen pzb at amzn.com
Fri Jan 15 18:01:56 UTC 2016


Ken,

Note that OCSP for root CAs like yours is only required to refresh the responses once every twelve months, when things are going well.  This is the same frequency as CRL updates.  It is entirely possible to sign the OCSP responses during the same ceremony where you sign the CRLs or new subordinates and then just serve those as static files.  CA/B Forum does not require the OCSP responder to support nonces so dynamic response generation is not a requirement.

Thanks,
Peter

> On Jan 15, 2016, at 9:51 AM, Myers, Kenneth (10421) <kenneth.myers at protiviti.com> wrote:
> 
> Hi Jeremy, <>
>  
> The use case is a Root CA that issues long term CA certificates to a limited number of organizations who operate their own issuing CAs independent from the same infrastructure of the root.
>  
> For example, the Federal Government operates a Trust Anchor and issues 10 year subordinate certificates to a limited number of agencies (around 10). Those organizations operate their own intermediate and issuing CAs. The issuing CAs are required to have OCSP. All operate under the same CP but have different organizational CPS. OCSP is not a requirement of the root as long as we have a highly available HTTP CRL and because of the low issuance volume it is not big or will get big based on this model.
>  
>  
> Ken
>  
> From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>] 
> Sent: Wednesday, January 13, 2016 21:43
> To: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>>; Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com>>; Myers, Kenneth (10421) <kenneth.myers at protiviti.com <mailto:kenneth.myers at protiviti.com>>; Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>>; public at cabforum.org <mailto:public at cabforum.org>
> Subject: RE: [cabfpub] OCSP Requirement for Root CA
>  
> That’d be interesting.  Is there a use case for it? 
>  
> I don’t see any reason it couldn’t be done that way assuming you still have an OCSP response that complies with 4.9.10. 
>  
> From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>] On Behalf Of Peter Bowen
> Sent: Wednesday, January 13, 2016 1:49 PM
> To: Ryan Sleevi; Myers, Kenneth (10421); Ben Wilson; public at cabforum.org <mailto:public at cabforum.org>
> Subject: Re: [cabfpub] OCSP Requirement for Root CA
>  
> On Jan 13, 2016, at 10:15 AM, Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com>> wrote:
> On Wed, Jan 13, 2016 at 10:03 AM, Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>> wrote:
> Is the requirement really clear?  Some browsers don't check OCSP for intermediates and use CRLs instead. 
>  
> So? The BRs themselves are clear it's a requirement. I mean, if we want to change to discuss that practical reality, we certainly can, but we should at least honor the rules as written.
>  
> Section 4.9.10 makes that clear. 7.1.2.2 item c also makes this clear.
>  
> It seems pretty clear to me.  
>  
> If a CA signs a certificate with CA:True in basicConstraints, then it must issue CRLs.
>  
> If a CA issues certificates covered by the BRs (either subscriber certificates or CA cross-certificates), then it must have an associated OCSP responder.
>  
> I think it is allowable that a CA that issues both kinds of certs (subscriber and CA) can issue CRLs with an IDP extension that indicates that the CRL only covers CA certs.
>  
> Does this sound right?
>  
> Thanks,
> Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160115/e39e0548/attachment-0003.html>


More information about the Public mailing list