<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:953100767;
mso-list-type:hybrid;
mso-list-template-ids:-1132934112 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Moving this pre-proposal to the public list for more discussion.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> management-bounces@cabforum.org [mailto:management-bounces@cabforum.org] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Wednesday, March 20, 2013 4:08 PM<br><b>To:</b> CABFMAN<br><b>Subject:</b> [cabfman] OCSP Stapling and Short-Lived Certificates<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Before moving this toward a ballot, attached are a few redlined pages of the Baseline Requirements to address OCSP stapling and short-lived certificates. After you’ve had the chance to look at them, please review some of the reasoning below that is in support of the proposed changes. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As background, the language being modified was originally intended to address the omission of the AIA for OCSP if the CA and the customer properly configured retrieval of OCSP responses in a must-staple scenario. However, since then our Forum discussions have revealed that the server software handles stapling best by pulling the OCSP server address from the certificate (manual configuration errors are more likely to occur if the certificates do not contain an AIA pointer to the OCSP Server). <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Section 13.2.1<o:p></o:p></b></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>The Baseline requirements should not imply that OCSP stapling is restricted to high-traffic sites. Also, we think that defining “high-traffic” is problematic. <o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>A customer is not required to always staple. It’s not the sine qua non, and as mentioned above, CAs won’t have as much control here as the current language seems to imply. <o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>If the customer requests the MustStaple OID because it is confident enough in its capabilities to provide stapling consistently, then we should make that available – but the mustStaple identifier should not be required or prohibited. So this language should be a “MAY.” The existing language only partially explains what the MustStaple OID can be used for (i.e. it’s a step toward preventing a downgrade attack when OCSP response are being blocked), but again, the suggested revision does not require anything unless the CA includes the OID in the certificate at the request of the customer. We’re welcome to suggestions on how to word this better.<o:p></o:p></p><p class=MsoNormal><b><o:p> </o:p></b></p><p class=MsoNormal><b>Appendix B Section (2)C – Subordinate CA Certificate<o:p></o:p></b></p><p class=MsoNormal>“With the exception of stapling” should be deleted because it neglects the need for the AIA for OCSP, as discussed above. (The language in the last paragraph is also an incorrect description of the Sub CA’s AIA contents.)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Appendix B Section (3)C. – Subscriber Certificate<o:p></o:p></b></p><p class=MsoNormal>Again, deleting exception for AIA for OCSP stapling, but replacing it with exception for short-lived certificates (“certificates with validity periods of 168 hours or less”). It has been argued that this type of short-lived certificate presents the same risk profile as certificates supported by CRLs and OCSP responses, which are valid and cached for a week to 10 days. Because at least some form of testing should be allowed, and the Baseline Requirements should only set a floor and not prohibit innovative solutions, short-lived certificates without revocation information should not be prohibited. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ben<o:p></o:p></p></div></body></html>