[cabfpub] Profiling OCSP & CRLs

Ryan Sleevi sleevi at google.com
Tue Apr 25 16:53:01 MST 2017


Hi folks,

In response to various investigations about OCSP performance, operation,
and trying to figure out how we can move to a world of more ubiquitous OCSP
stapling, one of the things that comes up is that OCSP responses are very
much like the pre-BR wild-west of certificates.

I've tried to capture a starting point for discussion at
https://github.com/sleevi/cabforum-docs/pull/2/files?diff=split . I've
tried to annotate the changes, and the reason for the changes, so that
people can understand them, their goals, and the implications.

While I'd like to get this to the point of a Ballot, it's not quite there
yet. In particular, it doesn't state Effective Dates, because I want to get
a sense of the challenges that each bit may pose :)

If people find this approach useful, I'd like to also reform the CRL
profile in a similar fashion.

There's also a lot of ways to express these requirements. I considered
using a table approach, which I suspect some of our ETSI-audited CA members
will be familiar with, and which I find useful, but I thought it best to
keep the initial discussions simple and textual, and then we can make it
pretty once we're happy with the substance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170425/10d64b77/attachment.html>


More information about the Public mailing list