[cabfpub] Profiling OCSP & CRLs
Dimitris Zacharopoulos
jimmy at it.auth.gr
Mon Jul 17 23:44:15 MST 2017
On 11/7/2017 12:17 πμ, Ryan Sleevi via Public wrote:
> I think pre-generation may be something that CAs
> really need to start thinking about and planning for now, so we can
> figure out how to make this real in five years and finally have the
> revocation system everyone says they want.
Some CAs are in a situation where the digitalSignature bit is turned off
in the keyUsage extension. For Intermediate CA Certificates, CAs can
roll out replacements. Are there any recommendations for pre-generating
OCSP responses from existing Root CA Certificates that don't have the
digitalSignature bit in the KU extension? If there is no feasible way to
fix this case, we would like to request an exception for these Root CAs
and allow 12 months duration of delegated OCSP responder Certificates
from these Roots.
Dimitris.
More information about the Public
mailing list