[cabfpub] BR issue 7 update

Yngve N. Pettersen (Developer Opera Software ASA) yngve at opera.com
Fri Nov 9 22:45:45 UTC 2012


Hi,

Updated BR Issue #7 text

(remove OCSP stapling exception, require AIA URL in certs not issued from
a Root.)


Changes: Effective dates, clarification of non-root issuance for
subordinate CA certs

I selected August 1st since we already have a OCSP update deadline for
that date. Please shout if you don't like this suggestion, and provide an
alternative, and a reason why that is better.

I assume that BR compliant certs are always issued from a subCA, which is
why I do not add the exception there.


Reasons for changes:

    - OCSP: OCSP URL will still be needed for legacy clients, server
configuration is easier if the URL is included in the certificate.
    - issuer URL: Improve the user experience by helping clients verify
certificates for misconfigured servers (as mentioned earlier, 1 server
in 50 does not send a full chain, 1 in 1000 does not send a full chain
and automatic completion is not possible, although neither number say
anything about user impact of those servers, but the server admins
purchased certificates for some reason).

Open issues:

   - Is the effective date sufficient?
   - Does this fix the issues already mentioned, and are there any other  
issues with the text?

---------

Effective <Immediately>

Erratum begins:

A. In Appendix B "Subordinate CA" remove point C
(authorityInformationAccess) and insert

    . C. authorityInformationAccess This extension MUST be present.  It MUST
NOT be marked critical, and it MUST contain:
     * the HTTP URL of the Issuing CA’s OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). See Section 13.2.1 for details about OCSP revocation
requirements.

     * (Effective August 1, 2013) for certificates not issued by a Root CA,
the HTTP URL where a copy of the Issuing CA’s certificate (accessMethod =
1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online repository.

B. In Appendix B "Subscriber Certificate" remove point C
(authorityInformationAccess) and insert

    . C. authorityInformationAccess This extension MUST be present.  It MUST
NOT be marked critical, and it MUST contain:
     * the HTTP URL of the Issuing CA’s OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1). See Section 13.2.1 for details about OCSP revocation
requirements.

     * (Effective August 1, 2013) the HTTP URL where a copy of the Issuing
CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded
   from a 24x7 online repository.

Erratum ends



-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 96 90 41 51              Fax:    +47 23 69 24 01
********************************************************************



More information about the Public mailing list