[cabfpub] Ballot[80] - BR Response for non-issued certificates

y-iida at secom.co.jp y-iida at secom.co.jp
Tue Jul 24 08:01:58 UTC 2012

Like Symantec, while we, SECOM Trust Systems, agree the "spirit" of
this ballot, we will not vote in favor unconditionally.
We could vote "yes", if this requirement is adopted into the PKIX
standardized requirement, or at least CABForum encourage PKIX to adopt

In RFC 2560, it reads:
   The "good" state indicates a positive response to the status inquiry.
   At a minimum, this positive response indicates that the certificate
   is not revoked, but does not necessarily mean that the certificate
   was ever issued or that the time at which the response was produced
   is within the certificate's validity interval.
This ballot seems to expect OCSP responders as validation authorities,
while RFC 2560 accepts such behavior as one of optional alternatives.
Members of CABForum do apply and conform to standards, but basic
requirements should not go too far away from standards.

We agree that the responder SHOULD NOT respond with a "good" status
for non-issued certificates, but at this moment we think it is
questionable to say that the responder MUST NOT do so.  It is too far

We also think that it is preferable to make enough time for CA venders
to develop such products and for CAs to deploy them.

>While we agree with the "spirit" of this ballot, Symantec will
>probably vote against this, for these reasons:

More information about the Public mailing list