On 11/7/2017 12:17 πμ, Ryan Sleevi via Public wrote:
I think pre-generation may be something that CAs really need to start thinking about and planning for now, so we can figure out how to make this real in five years and finally have the revocation system everyone says they want.
Some CAs are in a situation where the digitalSignature bit is turned off in the keyUsage extension. For Intermediate CA Certificates, CAs can roll out replacements. Are there any recommendations for pre-generating OCSP responses from existing Root CA Certificates that don't have the digitalSignature bit in the KU extension? If there is no feasible way to fix this case, we would like to request an exception for these Root CAs and allow 12 months duration of delegated OCSP responder Certificates from these Roots.
Dimitris. _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
