[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Dean Coclin Dean_Coclin at symantec.com
Tue Aug 6 16:31:26 UTC 2013


Symantec ABSTAINS.

 

Symantec believes there are strong arguments on both sides of the issue.
Although we feel it's incorrect to return a "good" status for an unknown
certificate, full compliance by all CAs would do little to deter a hacker
who can choose any serial number for a fake certificate.

 

Dean Coclin

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Robin Alden
Sent: Friday, July 26, 2013 2:26 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good
response for non-issued certificates

 

Comodo ABSTAINs from voting.

 

It is regrettable that this deficiency of OCSP should remain exploitable
with responders apparently being used by some CAs almost two years after
exactly this same flaw was plugged at DigiNotar as part of the response to
the breach there.

We understand that the BRs should not set unattainable standards, but feel
that more rapid progress should be made.

We would vote in favour of future motions to shorten the timescale in which
this deficiency should be addressed.

We will vote against future motions to lengthen the timescale in which this
deficiency should be addressed.

 

Regards
Robin Alden

Comodo

 

From:  <mailto:public-bounces at cabforum.org> public-bounces at cabforum.org [
<mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: 23 July 2013 17:44
To:  <mailto:public at cabforum.org> public at cabforum.org
Subject: [cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good
response for non-issued certificates

 

Ballot 106 - Extended Deadline to Prohibit OCSP "Good" Response for
Non-Issued Certificates

 

Given that several CAs have notified the CA/Browser Forum that they will be
unable to comply with the 1-August-2013 deadline by which OCSP responders
MUST NOT respond with a "good" status for unissued certificates, and that a
one-year extension of this deadline is an appropriate timeframe by which
these CAs should be able to come into compliance;

 

Kelvin Yiu made the following motion, and Eddy Nigg from StartCom,  Ryan
Hurst from GlobalSign,  and Iida Yosiaki from SECOM [snip] endorsed it: 

etc

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130806/33e3efda/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6071 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130806/33e3efda/attachment-0001.p7s>


More information about the Public mailing list