<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Ben, can you please explain what the changes are that you propose
and perhaps a diff from the current guidelines. It's not clear what
exactly is proposed and how it would affect us.<br>
<br>
On 05/28/2013 08:14 PM, From Ben Wilson:
<blockquote cite="mid:01b401ce5bc6$c37e0030$4a7a0090$@digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I
am looking for two endorsers of Ballot 103 OCSP Stapling and
AIA, which I’ve revised below. I’m flexible on subparagraph
(5), and I’ve sent a note to the TLS WG to solicit comments on
it.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Ben
Wilson of DigiCert made the following motion, and ____ from
_____ and ______ from ______ endorsed it:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> ---Motion
Begins ---<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">EFFECTIVE
IMMEDIATELY, in order clarify the use case for stapling in
section 13.2.1 and to modify the OCSP URI requirement in the
authorityInformationaccess of Appendix B of the Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates, we propose the following
amendments:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> ---List
of amendments begins--- <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">(1)
In Section 13.2.1 “Mechanisms” DELETE the first clause in the
second paragraph "If the Subscriber Certificate is for a
high-traffic FQDN so that as amended the section reads as
follows:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> "13.2.1
Mechanisms<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> The
CA SHALL make revocation information for Subordinate
Certificates and Subscriber Certificates available in
accordance with Appendix B.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The
CA MAY rely on stapling, in accordance with [RFC4366], to
distribute its OCSP responses. In this case, the CA SHALL
ensure that the Subscriber “staples” the OCSP response for the
Certificate in its TLS handshake. The CA SHALL enforce this
requirement on the Subscriber either contractually, through
the Subscriber or Terms of Use Agreement, or by technical
review measures implement by the CA."<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> (2)
In Appendix B "2. Subordinate CA Certificate" remove point C
(authorityInformationAccess) and insert:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> C.
authorityInformationAccess <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This
extension MUST be present. It MUST NOT be marked critical,
and it MUST contain the HTTP URL of the Issuing CA’s OCSP
responder (accessMethod = 1.3.6.1.5.5.7.48.1). <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">See
Section 13.2.1 for details about OCSP stapling requirements.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Certificates
that are not issued by a Root CA SHOULD contain an AIA with
the HTTP URL where a copy of the Issuing CA’s certificate
(accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a
24x7 online repository.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> (3)
In Appendix B "3. Subscriber Certificate" remove point C
(authorityInformationAccess) and insert:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">
C. authorityInformationAccess <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This
extension MUST be present. It MUST NOT be marked critical,
and it MUST contain the HTTP URL of the Issuing CA’s OCSP
responder (accessMethod = 1.3.6.1.5.5.7.48.1). <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Subscriber
Certificates SHOULD contain an AIA with the HTTP URL where a
copy of the Issuing CA’s certificate (accessMethod =
1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online
repository.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">(4)
In Appendix B "3. Subscriber Certificate" remove point D
(basicConstraints) and insert:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">D.
basicConstraints (optional)<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If
present, this field MUST be marked critical and the cA field
MUST be set to false.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">[Optional
part of motion: (5) In Appendix B "3. Subscriber
Certificate" after point F insert a new point G (TLS Feature
Extension) as follows:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">G.
TLS Feature Extension (optional)<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Subscriber
Certificates MAY contain the TLS Feature Extension advertising
that the status_request feature of OCSP stapling is available
and supported by the subscriber. If present, this field MUST
NOT be marked critical.]<o:p></o:p></p>
</div>
</blockquote>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>