[cabfpub] August 1st Deadline for No "Good" Reponse to Non-Issued Certificate

Yngve N. Pettersen yngve at spec-work.net
Fri Jul 19 12:34:29 MST 2013 

Kelvin, the requirement is there to prevent a CA from responding "this  
certificate is not revoked" for a certificate that the CA in question have  
absolutely no idea *exists*. The worst possible reason for such a query to  
be received is that the CA's issuing system have been compromised, and the  
attacker removed all traces of the certificate having been issued, which  
is what happened during the DigiNotar incident.

Changing this into a recommendation would mean that browsers would never  
be able to reliably determine that a certificate exists and is not  
revoked, and there would be no way to prevent a repetition of the  
DigiNotar incident.

On Fri, 19 Jul 2013 21:18:14 +0200, Kelvin Yiu  
<kelviny at exchange.microsoft.com> wrote:

> My preference is to change the OCSP behavior into a recommendation  
> instead of a requirement with no deadline. The problem with moving the  
> deadline to January is that CAs are still under pressure to meet the  
> requirement. We need to ensure the new deadline takes into account  
> sufficient time to obtain sufficient commercial vendor support and for  
> CAs to integrate the new software.
>
> We can still work towards resolving the issue according to Ben’s  
> proposed timeline, but January 2014 is just too soon to be practical.
>
> Kelvin
>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]  
> On Behalf Of Eddy Nigg (StartCom Ltd.)
> Sent: Friday, July 19, 2013 9:48 AM
> To: public at cabforum.org
> Subject: Re: [cabfpub] August 1st Deadline for No "Good" Reponse to  
> Non-Issued Certificate
>
>
> On 07/19/2013 07:41 PM, From Ben Wilson:
> Should we move the deadline from August 1 to January 1 and request that  
> any CA / OCSP software provider with a problem provide us with a  
> statement of progress, hurdles to overcome, and/or proposed milestones,  
> with a response deadline of October 15 .  Then, based on those responses  
> received, if any, we determine whether the deadline should be moved out  
> further?
> If there is interest in this proposal, then we should create a new  
> ballot and we would need a sponsor and two endorsers.   Also, to the  
> extent that the timing of the review and voting periods would extend  
> beyond August 1, we would have to suspend the rules in order for voting  
> to be completed before August 1.
>
> I would agree with both - e.g. split the ballots into two and the  
> January first deadline for OCSP.
>
> Regards
>
>
>
> Signer:
>
> Eddy Nigg, COO/CTO
>
>
>
> StartCom Ltd.<http://www.startcom.org>
>
> XMPP:
>
> startcom at startcom.org<xmpp:startcom at startcom.org>
>
> Blog:
>
> Join the Revolution!<http://blog.startcom.org>
>
> Twitter:
>
> Follow Me<http://twitter.com/eddy_nigg>
>
>
>
>


-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/

More information about the Public mailing list