[cabfpub] Ballot 103 - OCSP Staping and TLS Security Policy Extension
Ben Wilson
ben at digicert.com
Wed Sep 4 22:22:21 UTC 2013
Robin,
If this draft is acceptable, then we would only be looking for one more
endorser. Please let me know.
Thanks,
Ben
Ballot 103 - OCSP Stapling and TLS Security Policy Extension
Explanation - This motion is made to clarify and simplify language about
OCSP stapling and to promote the development and use of OCSP Stapling by
allowing certificates to contain a TLS Security Policy Extension.
Ben Wilson of DigiCert made the following motion, and Robin Alden from
Comodo and ______ from _______ endorsed it:
Motion Begins
EFFECTIVE IMMEDIATELY, in order to clarify language in section 13.2.1 of the
Baseline Requirements and in Appendix B concerning
authorityInformationaccess (AIA), and allow use of the TLS Security Policy
Extension, we propose the following amendments:
(1) Delete the second paragraph of Section 13.2.1 "Mechanisms" so that as
amended the section will read as follows:
"13.2.1 Mechanisms
The CA SHALL make revocation information for Subordinate Certificates and
Subscriber Certificates available in accordance with Appendix B."
(2) In Appendix B "(2) Subordinate CA Certificate" replace point C.
authorityInformationAccess with:
C. authorityInformationAccess
This extension MUST be present. It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1).
For Certificates that are not issued by a Root CA, this extension SHOULD
contain the HTTP URL where a copy of the Issuing CA's certificate
(accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online
repository.
(3) In Appendix B "(3) Subscriber Certificate" replace point C.
authorityInformationAccess with:
C. authorityInformationAccess
This extension MUST be present. It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1).
This extension SHOULD contain the HTTP URL where a copy of the Issuing CA's
certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a
24x7 online repository.
(4) In Appendix B "(3) Subscriber Certificate" replace point D.
basicConstraints (optional) with:
D. basicConstraints (optional)
If present, this field MUST be marked critical, and the cA field MUST be set
to false.
(5) In Appendix B "(3) Subscriber Certificate" after point F insert a new
point G (TLS Security Policy Extension) as follows:
G. TLS Security Policy Extension (optional)
Subscriber Certificates MAY contain the TLS Security Policy Extension
[http://datatracker.ietf.org/doc/draft-hallambaker-tlssecuritypolicy/]
advertising that the status_request feature of OCSP stapling is available
and supported by the Subscriber. If present, this field SHOULD NOT be marked
critical.
=====Motion Ends=====
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130904/c178e0c4/attachment.p7s>
More information about the Public
mailing list