<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">I agree. I would prefer to have a separate ballot that focused on certificate profiles. In addition to requiring either AIA OCSP or TLS Feature Status Request, I would also like to sunset teletexString and disallow control characters in all strings.</div><div class=""><br class=""></div><div class="">There is also the open item of determining what changes, if any, are needed to section 7.1.4.2.1. It seems many CAs are including SAN entries which are not dNSNames or iPAddresses.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Peter</div><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 20, 2016, at 8:48 AM, Ryan Sleevi <<a href="mailto:sleevi@google.com" class="">sleevi@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">I would object to adding this to that ballot. It's not non-controversial (as seen in past discussions on the list), but also, we should keep ballots as simple as possible and as singularly scoped :)</div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Jan 20, 2016 at 7:26 AM, Richard Barnes <span dir="ltr" class=""><<a href="mailto:rbarnes@mozilla.com" target="_blank" class="">rbarnes@mozilla.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="">Redirecting to CABF, where I meant to send it in the first place...<br class=""><br class=""><div class=""><div class="gmail_quote">---------- Forwarded message ----------<br class="">From: <b class="gmail_sendername">Richard Barnes</b> <span dir="ltr" class=""><<a href="mailto:rbarnes@mozilla.com" target="_blank" class="">rbarnes@mozilla.com</a>></span><br class="">Date: Wed, Jan 20, 2016 at 9:35 AM<br class="">Subject: OCSP exception contingent on must-staple (was Re: SHA1 certs issued this year chaining to included roots)<br class="">To: Rob Stradling <<a href="mailto:rob.stradling@comodo.com" target="_blank" class="">rob.stradling@comodo.com</a>><br class="">Cc: Charles Reiss <<a href="mailto:woggling@gmail.com" target="_blank" class="">woggling@gmail.com</a>>, "<a href="mailto:mozilla-dev-security-policy@lists.mozilla.org" target="_blank" class="">mozilla-dev-security-policy@lists.mozilla.org</a>" <<a href="mailto:mozilla-dev-security-policy@lists.mozilla.org" target="_blank" class="">mozilla-dev-security-policy@lists.mozilla.org</a>><br class=""><br class=""><br class=""><div dir="ltr" class="">Changing the subject line as this is branching a bit...<br class=""><div class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Jan 20, 2016 at 8:24 AM, Rob Stradling <span dir="ltr" class=""><<a href="mailto:rob.stradling@comodo.com" target="_blank" class="">rob.stradling@comodo.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On 19/01/16 21:13, Charles Reiss wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On 01/19/16 11:49, Jakob Bohm wrote:<br class="">
</blockquote></span>
<snip><span class=""><br class="">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
If there is no OCSP, it obviously cannot be stapled.<br class="">
</blockquote>
<br class="">
The CA/Browser forum BRs contemplate OCSP stapling without an OCSP responder<br class="">
being listed in the certificate in section 7.1.2.2.c ("The HTTP URL of the<br class="">
Issuing CA’s OCSP responder MAY be omitted, provided that the Subscriber<br class="">
“staples” the OCSP response for the Certificate in its TLS handshakes<br class="">
[RFC4366].") I assume the idea is that the OCSP responder URL would be manually<br class="">
configured in the server and that this would make the certificate slightly smaller.<br class="">
</blockquote>
<br class=""></span>
IIRC, the original motivation for this text was to make it possible to suppress OCSP requests directly from TLS clients (that don't support OCSP Stapling). In particular, there was a concern that some OCSP responders might not be able to cope with the OCSP traffic generated by certs used by sites with extremely high numbers of users.<br class="">
<br class="">
At the time, Firefox didn't support OCSP Stapling, and it was much less common for CAs to use CDNs for their OCSP responders. (Indeed, some CAs didn't even support OCSP back then).<span class=""><font color="#888888" class=""><br class=""></font></span></blockquote><div class=""><br class=""></div><div class="">This sentence has always bothered me, though, because in order to make sense, you would have to have the CA verify that the OCSP response is stapled, and there's not any requirement to do that. ISTM that omitting the OCSP URL only really makes sense if there's a TLS Feature extension requiring stapling (i.e., must-staple).<br class=""><br class="">"""<br class=""><span class="">The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted, provided that the Certificate contains a TLS Feature extension including the value status_request(5). This extension requires that the Subscriber “staples” the OCSP response for the Certificate in its TLS handshakes [RFC4366]."</span><br class="">"""<br class=""><br class=""></div><div class="">If this is non-controversial, maybe this is something to add to Bowen's ballot that's being discussed on another thread?<br class=""><br class=""></div><div class="">--Richard<br class=""></div><div class=""><br class=""> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class=""><font color="#888888" class="">
<br class=""><span class="HOEnZb"><font color="#888888" class=""><span class=""><font color="#888888" class="">
-- <br class="">
Rob Stradling<br class="">
Senior Research & Development Scientist<br class="">
COMODO - Creating Trust Online</font></span></font></span></font></span><span class="HOEnZb"><font color="#888888" class=""><span class=""><font color="#888888" class=""><div class=""><div class=""><br class="">
<br class="">
_______________________________________________<br class="">
dev-security-policy mailing list<br class="">
<a href="mailto:dev-security-policy@lists.mozilla.org" target="_blank" class="">dev-security-policy@lists.mozilla.org</a><br class="">
<a href="https://lists.mozilla.org/listinfo/dev-security-policy" rel="noreferrer" target="_blank" class="">https://lists.mozilla.org/listinfo/dev-security-policy</a><br class="">
</div></div></font></span></font></span></blockquote></div><br class=""></div></div></div>
</div><br class=""></div></div>
<br class="">_______________________________________________<br class="">
Public mailing list<br class="">
<a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank" class="">https://cabforum.org/mailman/listinfo/public</a><br class="">
<br class=""></blockquote></div><br class=""></div>
_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></blockquote></div><br class=""></body></html>