[cabfpub] Ballot[80] - BR Response for non-issued certificates

Rick Andrews Rick_Andrews at symantec.com
Fri Jul 20 16:09:11 MST 2012 

While we agree with the "spirit" of this ballot, Symantec will probably vote against this, for these reasons:


-          In our opinion, this will have little practical effect because if an attacker subverts a CA and uses the CA's infrastructure to issue a fraudulent cert, that cert will have a valid serial number and will therefore have a "good" status (until the fraud is discovered). If the attacker does not subvert the CA's infrastructure (instead mounts a hash collision attack, for example), s/he could easily choose to use an existing serial number and therefore get a "good" status (until the fraud is discovered and the legitimate certificate is revoked). The motion will only help in the very limited case in which the attacker does not subvert the CA's infrastructure, and uses a non-existent serial number.


-          Any CA that uses a CRL-based OCSP responder product (and Symantec does, for a subset of our CAs) will be unable to comply until the vendor builds in that functionality (we think it's non-trivial) and the CA deploys it, or the CA replaces the CRL-based OCSP responder with one not based on CRLs. Neither option can be accomplished in 6 months; both options will probably take a year or more.



-          The BRs currently treat CRLs almost the same as OCSP (Section 13.2.2 "Repository" essentially says that the CA must support OCSP and may support CRLs), and if a relying party uses CRLs instead of OCSP, they will interpret anything not on the CRL as "good". So this ballot will do nothing at all to help those relying parties.

-Rick


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Tim Moses
Sent: Friday, July 20, 2012 11:41 AM
To: CABFPub
Subject: [cabfpub] Ballot[80] - BR Response for non-issued certificates


Yngve Pettersen made the following motion and Ben Wilson and Carsten Dahlenkamp endorsed it:

... Motion begins....

Effective 1 Feb 2013

... Erratum begins ...

Insert a new section at the end of section 13.2 of the Baseline Requirements with the following heading and text:

"13.2.6 Response for non-issued certificates

If the OCSP responder receives a request for status of a certificate that has not been issued, then the responder MUST NOT respond with a "good" status. The CA SHOULD monitor the responder for such requests as part of its security response procedures."

... Erratum ends ...

The ballot review period comes into effect at 21:00 UTC on 19 July 2012 and will close at 21:00 UTC on 26 July 2012. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 21:00 UTC on 2 August 2012. Votes must be cast by posting an on-list reply to this thread.

... Motions ends ...

A vote in favor of the motion must indicate a clear 'yes' in the response.

A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Voting members are listed here:

http://www.cabforum.org/forum.html

with the addition of TrendMicro<https://www.cabforum.org/wiki/TrendMicro>.

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and one half or more of the votes cast by members in the browser category must be in favour. Also, at least seven members must participate in the ballot, either by voting in favour, voting against or abstaining.

T: +1 613 270 3183

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120720/f7710d3f/attachment-0001.html

More information about the Public mailing list