On Sat, Apr 22, 2017 at 03:00:17PM +0300, Ilari Liusvaara wrote: > On Sat, Apr 22, 2017 at 07:53:50AM -0400, Eric Rescorla wrote: > > On Fri, Apr 21, 2017 at 10:52 AM, Nikos Mavrogiannopoulos <[email protected]> > > wrote: > > > > > On Tue, 2017-04-11 at 13:47 -0700, Eric Rescorla wrote: > > > > > > > Do you have any thoughts on what text we should insert here? I admit > > > > to being not that familiar with the practical matters of OCSP > > > > stapling. > > > > > > My issue with OCSP when used under TLS was how to determine the > > > validity of the response when the nextUpdate field is missing. I've > > > added some text for that introducing an (arbitrary) upper limit at: > > > https://github.com/tlswg/tls13-spec/pull/974 > > > > > > This text looks good to me, but it is is a normative change and we've > > been through WGLC so I'd like to hear from a few other people that they're > > OK > > with it (or have the chairs tell me that silence is consent). David > > Benjamin? > > Richard Barnes? Ryan Sleevi? > > I searched what minimum standards for "public" CAs say. The maximum > lifetime there is 10 days (but IIRC some widely-used root program has > lower limit, might have been 7 days).. > > Anybody happens to know a CA that doesn't put NextUpdate in? If so, > what's the OCSP issuance frequency?
The CA Browser baseline requirements have this in 4.9.7: For the status of Subscriber Certificates: If the CA publishes a CRL, then the CA SHALL update and reissue CRLs at least once every seven days, and the value of the nextUpdate field MUST NOT be more than ten days beyond the value of the thisUpdate field For the status of Subordinate CA Certificates: The CA SHALL update and reissue CRLs at least (i) once every twelve months and (ii) within 24 hours after revoking a Subordinate CA Certificate, and the value of the nextUpdate field MUST NOT be more than twelve months beyond the value of the thisUpdate field. And in 4.9.10: For the status of Subscriber Certificates: The CA SHALL update in formation provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days. For the status of Subordinate CA Certificates: The CA SHALL update information provided via an Online Certificate Status Protocol at least (i) every twelve months and (ii) within 24 hours after revoking a Subordinate CA Certificate. So for OCSP of a subordinate CAs there doesn't seem to be any requirement for a nextUpdate. Kurt _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
