[cabfpub] Ballot[80] - BR Response for non-issued certificates

Janssen, M.A. (Mark) - Logius mark.janssen at logius.nl
Thu Jul 26 04:50:51 MST 2012 

All,


In addition to the remarks that have already been made by Symantec and SECOM Trust Systems, I would also like to express my doubts about this ballot on behalf of PKIoverheid. PKIoverheid agrees with the spirit of this ballot as well. However, I suspect that practical implementation of this requirement will be hard for at least some of the CSPs that are part of the PKIoverheid hierarchy.



Since the option RFC2560 offered with regard to CRL distribution points for OCSP responder signing certificates has been denied to CAs by Baseline requirement 13.2.5, CSPs of PKIoverheid had to put a lot of effort in changing their OCSP architecture. On behalf of these CSPs, PKIoverheid will have to vote against this motion as it currently stands. CAs have not been given proper time to investigate the impact of this new requirement thoroughly and my feeling is that the required implementation period of half a year is really too short to revamp one's OCSP architecture if need be (for example, in case of CRL based OCSP responses).



A lot of us are currently in the middle of the summer holidays. Therefore, I would propose to withdraw this motion temporarily and give CAs at least some time to further investigate the impact of this new requirement. The motion could be proposed again at the start of October.




Best Regards,

Mark Janssen
Senior Advisor PKIoverheid
........................................................................
Logius
The ministry of the Interior and Kingdom Relations (BZK)
Wilhelmina van Pruisenweg 52 | 2595 AN | The Hague
P.O. Box 96810 | 2509 JE | The Hague
........................................................................
T +31(0) 70 8887 967
F +31(0) 70 8887 882
mark.janssen at logius.nl<mailto:mark.janssen at logius.nl>
http://www.logius.nl/<https://webmail.ictu.nl/exchweb/bin/redir.asp?URL=http://www.logius.nl/>
........................................................................
Service e-government
........................................................................
Please consider the environment - do you really need to print this mail?


Van: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] Namens Tim Moses
Verzonden: vrijdag 20 juli 2012 20:41
Aan: CABFPub
Onderwerp: [cabfpub] Ballot[80] - BR Response for non-issued certificates


Yngve Pettersen made the following motion and Ben Wilson and Carsten Dahlenkamp endorsed it:

... Motion begins....

Effective 1 Feb 2013

... Erratum begins ...

Insert a new section at the end of section 13.2 of the Baseline Requirements with the following heading and text:

"13.2.6 Response for non-issued certificates

If the OCSP responder receives a request for status of a certificate that has not been issued, then the responder MUST NOT respond with a "good" status. The CA SHOULD monitor the responder for such requests as part of its security response procedures."

... Erratum ends ...

The ballot review period comes into effect at 21:00 UTC on 19 July 2012 and will close at 21:00 UTC on 26 July 2012. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 21:00 UTC on 2 August 2012. Votes must be cast by posting an on-list reply to this thread.

... Motions ends ...

A vote in favor of the motion must indicate a clear 'yes' in the response.

A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Voting members are listed here:

http://www.cabforum.org/forum.html

with the addition of TrendMicro<https://www.cabforum.org/wiki/TrendMicro>.

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and one half or more of the votes cast by members in the browser category must be in favour. Also, at least seven members must participate in the ballot, either by voting in favour, voting against or abstaining.

T: +1 613 270 3183


________________________________

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120726/3c12c0f7/attachment.html

More information about the Public mailing list