Not everyone signs with responders since they add bulk and complexity into the system.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Patrick Kobly Sent: Wednesday, May 14, 2014 11:07 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Communication - May 12, 2014 On Monday, 12 May 2014 13:45:16 UTC-6, Jeremy Rowley wrote: > +1. This is especially true in the federal space where some intermediates > > are stored offline most of the time. Per Section 4.9.7 of the FBCA CP, > > these CAs use a 31-day interval for status information. Bringing the CA > > online to generate responses every 10 days will actually make those CAs less > > secure. Perhaps I'm dense and missing something or perhaps this isn't the right place to be asking. Why would this necessitate bringing the CA online when responses can be signed by an Authorized Responder (i.e. cert with EKU id-kp-OCSPSigning)? FWIW, Rob's concerns regarding the change process are certainly reasonable. PK _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
