> If you have further comments or feedback on this, please send your input
> now.
> Otherwise, I will send the communication (via email) this afternoon.
Kathleen,
https://bugzilla.mozilla.org/show_bug.cgi?id=991815#c24
...sounded like a reasonable plan to me.
Yet AFAICT somewhere between comment 24 and comment 28 you've elected to
bypass the CABForum process.
The BRs permit OCSP Responses for Intermediate CA Certificates to be
valid for <=12 months. Suddenly declaring that validity periods of >10
days are forbidden is likely to take quite a few CAs by surprise.
Calling this something for "CAs to _fix_" is likely to prompt "Why, what
rule have we broken?" questions from CAs.
<=12 months are permitted so that CAs don't have to access their offline
root keys frequently, so I think you should expect a backlash from CAs
that would consider it onerous to have to access their offline root keys
every <=10 days.
And once the CAs learn that this is only a temporary measure until
Mozilla implement something akin to CRLSets for intermediate certificate
revocation, well, that will just rub salt into their wounds!
(BTW, Comodo don't have a problem with <=10 days for intermediate OCSP
response validity periods, and personally I would like to see it set
even lower than that. But could we please introduce change in an
orderly fashion?)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online