<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 12px; font-family: Arial, sans-serif; "><div><div>Hi Kelvin,</div><div><br></div><div>I also think it's also vitally important to include some of the other stakeholders - (Certificate Authority platform providers like Primekey/Ascerita/Microsoft/Entrust etc and OCSP responder service providers like Corestreet).</div><div><br></div><div>Ideally we should list compliant solutions on the CABForum website so that there's some small pressure to meet the new deadlines (small carrot rather than small stick). That was my main point when I first raised the suggestion a while ago so I want to ensure it's followed up again here.</div><div><br></div><div>Hopefully ballot 105 will pass to allow an alternative for those who are able constrain. (Not to lessen the effect of the request to platform providers, but to ensure choice in the market for consumers)</div><div><br></div><div>Steve</div><div><p></p></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Kelvin Yiu <<a href="mailto:kelviny@exchange.microsoft.com">kelviny@exchange.microsoft.com</a>><br><span style="font-weight:bold">Date: </span> Tuesday, 23 July 2013 17:48<br><span style="font-weight:bold">To: </span> Ryan Hurst <<a href="mailto:ryan.hurst@globalsign.com">ryan.hurst@globalsign.com</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:public@cabforum.org">public@cabforum.org</a>" <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP good response for non-issued certificates<br></div><div><br></div><div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:243876941;
mso-list-type:hybrid;
mso-list-template-ids:859726108 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="WordSection1"><p class="MsoNormal"><span style="color:#1F497D">Thanks Ryan. I agree that browser vendors should take action to ensure all CAs in their relative root CA program are aware of the requirement and deadline.
<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="color:#1F497D">I also think the forum need to accomplish 2 tasks before we talk to the remaining CAs:<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">1.<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><!--[endif]--><span style="color:#1F497D">Complete the assessment the product support by commercial OCSP vendors<o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">2.<span style="font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman'; ">
</span></span></span><!--[endif]--><span style="color:#1F497D">Re-examine the security implications of the requirement on the ability to limit network access by CA servers<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="color:#1F497D">Kelvin<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> Ryan Hurst [<a href="mailto:ryan.hurst@globalsign.com">mailto:ryan.hurst@globalsign.com</a>] <br><b>Sent:</b> Monday, July 22, 2013 9:59 PM<br><b>To:</b> Kelvin Yiu<br><b>Cc:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP good response for non-issued certificates<o:p></o:p></p></div></div><p class="MsoNormal"><o:p> </o:p></p><div><p class="MsoNormal">You have an endorser in me but I would like to see us agree to take some action to ensure we're not just going to slip the date again.<span style="font-size:12.0pt"><o:p></o:p></span></p></div><div><p class="MsoNormal"><o:p> </o:p></p></div><div><p class="MsoNormal">Can the browsers agree to notify all CAs who are not part of this group of the impending date?<br><br>
Ryan Hurst<o:p></o:p></p><div><div><p class="MsoNormal">Chief Technology Officer<o:p></o:p></p></div><div><p class="MsoNormal">GMO Globalsign<o:p></o:p></p></div><div><p class="MsoNormal"><o:p> </o:p></p></div><div><p class="MsoNormal">twitter: @rmhrisk<o:p></o:p></p></div><div><p class="MsoNormal">email: <a href="mailto:ryan.hurst@globalsign.com">ryan.hurst@globalsign.com</a><o:p></o:p></p></div><div><p class="MsoNormal">phone: 206-650-7926<o:p></o:p></p></div><div><p class="MsoNormal"><o:p> </o:p></p></div><div><p class="MsoNormal">Sent from my phone, please forgive the brevity.<o:p></o:p></p></div></div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On Jul 23, 2013, at 3:14 AM, Kelvin Yiu <<a href="mailto:kelviny@exchange.microsoft.com">kelviny@exchange.microsoft.com</a>> wrote:<o:p></o:p></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal">I am looking for 2 endorsers of ballot 106 to extend the deadline to prohibit OCSP good response for non-issued certificates by 1 year. I am somewhat flexible on the date, but I do think it should be extended by at least 6-12 months to
give CAs enough time to comply. Here is the draft motion.<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Ballot 106 – Extension of Deadline for Prohibition of “Good Response” for Non-Issued Certificates<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Given that several CAs have notified the CA/Browser Forum that they will be unable to comply with the 1-August-2013 deadline by which OCSP responders MUST NOT respond with a "good" status for unissued certificates, and that a one-year
extension of this deadline is an appropriate timeframe by which these CAs should be able to come into compliance;<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Kelvin Yiu made the following motion, and ___ from ____ and _______ from _______ endorsed it:
<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Motion Begins <o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">EFFECTIVE RETROACTIVELY TO 1 AUGUST 2013,<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">The last sentence of Section 13.2.6 of the Baseline Requirements (Response for non-issued certificates) is hereby amended to read as follows:
<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">“Effective 1 August <span style="background:yellow;mso-highlight:yellow">
2014</span>, OCSP responders MUST NOT respond with a "good" status for such certificates.”<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Motion Ends<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Thanks,<o:p></o:p></p><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal">Kelvin<o:p></o:p></p></div></blockquote><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal"><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">_______________________________________________<br>
Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></p></div></blockquote></div></div></div>
_______________________________________________
Public mailing list
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</span></body></html>