[cabfpub] BR Issue 7

Ben Wilson ben at digicert.com
Thu Dec 6 01:20:08 UTC 2012


All,

 

As noted during our last telephone meeting on 19 November, Yngve would like
to move forward on a resolution of BR Issue 7.   

 

His recent changes include an effective date of 1 August 2013, since we
already have an OCSP update deadline for that date (as noted below, please
respond if you do not like this suggestion, and provide an alternative, and
a reason why yours is better).  

 

Motivations for resolving this issue include:

    - OCSP: OCSP URL will still be needed for legacy clients, server
configuration is easier if the URL is included in the certificate.

    - issuer URL: Improve the user experience by helping clients verify
certificates for misconfigured servers (as he has mentioned earlier, 1
server

in 50 does not send a full chain, 1 in 1000 does not send a full chain and
automatic completion is not possible, although neither number says

anything about user impact of those servers, but the server admins purchased
certificates for some reason).

Open issues:

   - Is the effective date sufficient?

   - Does this fix the issues already mentioned, and are there any other
issues with the text?

In conversations with him, I have suggested that we hold off balloting and
refine the language further, if necessary, because recent history shows that
even if we started the review and voting period there may be a multitude of
comments that bog-down the approval process.  Instead of pushing this to a
vote, Yngve and I discussed the idea of creating an issues list for this
issue.  That is Item #5 on the agenda tomorrow.  

 

In anticipation of tomorrow's discussion, could those of you who are
concerned about implementation timeframes for mandatory issuer AIAs, about
the proposal altogether, or other questions about it either respond to this
email with their comments or send an email to me and Yngve, so that all
issues can be consolidated into a comment-and-response framework?  The first
comment or question received will be numbered 7a, the second 7b, and so
forth.  The most current language being considered is as follows:

 

For C. authorityInformationAccess for Subordinate CAs

 

This extension MUST be present.  It MUST NOT be marked critical, and it MUST
contain:

 

     * the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). See Section 13.2.1 for details about OCSP revocation

requirements.

     *   for certificates issued after August 1, 2013 that are not issued by
a Root CA, the HTTP URL where a copy of the Issuing CA's certificate
(accessMethod =

1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online repository.

For C. authorityInformationAccess for Subscriber Certificates

 

This extension MUST be present.  It MUST NOT be marked critical, and it MUST
contain:

 

     * the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). See Section 13.2.1 for details about OCSP revocation

requirements.

     *  for certificates issued after August 1, 2013, the HTTP URL where a
copy of the Issuing CA's certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can
be downloaded from a 24x7 online repository, and each Issuing CA certificate
in the chain, except the Root and the Subordinate CA issued by the Root,
MUST contain this extension.

 

Thanks,

 

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121205/6b43bd37/attachment-0003.html>


More information about the Public mailing list