[cabfpub] Profiling OCSP & CRLs

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Jul 17 23:44:15 MST 2017

On 11/7/2017 12:17 πμ, Ryan Sleevi via Public wrote:
> I think pre-generation may be something that CAs
> really need to start thinking about and planning for now, so we can
> figure out how to make this real in five years and finally have the
> revocation system everyone says they want.

Some CAs are in a situation where the digitalSignature bit is turned off 
in the keyUsage extension. For Intermediate CA Certificates, CAs can 
roll out replacements. Are there any recommendations for pre-generating 
OCSP responses from existing Root CA Certificates that don't have the 
digitalSignature bit in the KU extension? If there is no feasible way to 
fix this case, we would like to request an exception for these Root CAs 
and allow 12 months duration of delegated OCSP responder Certificates 
from these Roots.


More information about the Public mailing list