On Wed, May 14, 2014 at 10:06 AM, Patrick Kobly <patr...@kobly.com> wrote:
> Perhaps I'm dense and missing something or perhaps this isn't the right > place to be asking. Why would this necessitate bringing the CA online when > responses can be signed by an Authorized Responder (i.e. cert with EKU > id-kp-OCSPSigning)? > Right. Bulk preproduction of direct-signed OCSP responses is another way of handling it. Nobody wants CA certificates to be online more than otherwise necessary just to support shorter validity periods for OCSP responses. > FWIW, Rob's concerns regarding the change process are certainly reasonable. > We did not intentionally want to short-circuit any process. I implemented the restriction to 10 days due to a misunderstanding of the baseline requirements, and then we decided my misunderstanding is better than what the BRs would say, so we considered leaving my misunderstanding in the code while we concurrently worked to improve the BRs to match my misunderstanding. Ultimately, we decided to revert to the less-reasonable but more compatible behavior. It is OK (good even) for us to add additional requirements that go beyond the baseline & EV requirements and not everything has to be approved through CAB Forum. We do it all the time (otherwise our CA program documentation would consist solely of "See the Baseline Requirements and EV Requirements"). Google is doing the same with their proposed CT requirements for EV. In this case, though, it was just an accident. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy