[cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP good response for non-issued certificates
Steve Roylance
steve.roylance at globalsign.com
Tue Jul 23 10:55:36 MST 2013
Hi Kelvin,
I also think it's also vitally important to include some of the other
stakeholders - (Certificate Authority platform providers like
Primekey/Ascerita/Microsoft/Entrust etc and OCSP responder service providers
like Corestreet).
Ideally we should list compliant solutions on the CABForum website so that
there's some small pressure to meet the new deadlines (small carrot rather
than small stick). That was my main point when I first raised the
suggestion a while ago so I want to ensure it's followed up again here.
Hopefully ballot 105 will pass to allow an alternative for those who are
able constrain. (Not to lessen the effect of the request to platform
providers, but to ensure choice in the market for consumers)
Steve
From: Kelvin Yiu <kelviny at exchange.microsoft.com>
Date: Tuesday, 23 July 2013 17:48
To: Ryan Hurst <ryan.hurst at globalsign.com>
Cc: "public at cabforum.org" <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit
OCSP good response for non-issued certificates
Thanks Ryan. I agree that browser vendors should take action to ensure all
CAs in their relative root CA program are aware of the requirement and
deadline.
I also think the forum need to accomplish 2 tasks before we talk to the
remaining CAs:
1. Complete the assessment the product support by commercial OCSP
vendors
2. Re-examine the security implications of the requirement on the
ability to limit network access by CA servers
Kelvin
From: Ryan Hurst [mailto:ryan.hurst at globalsign.com]
Sent: Monday, July 22, 2013 9:59 PM
To: Kelvin Yiu
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP
good response for non-issued certificates
You have an endorser in me but I would like to see us agree to take some
action to ensure we're not just going to slip the date again.
Can the browsers agree to notify all CAs who are not part of this group of
the impending date?
Ryan Hurst
Chief Technology Officer
GMO Globalsign
twitter: @rmhrisk
email: ryan.hurst at globalsign.com
phone: 206-650-7926
Sent from my phone, please forgive the brevity.
On Jul 23, 2013, at 3:14 AM, Kelvin Yiu <kelviny at exchange.microsoft.com>
wrote:
>
> I am looking for 2 endorsers of ballot 106 to extend the deadline to prohibit
> OCSP good response for non-issued certificates by 1 year. I am somewhat
> flexible on the date, but I do think it should be extended by at least 6-12
> months to give CAs enough time to comply. Here is the draft motion.
>
>
>
> Ballot 106 Extension of Deadline for Prohibition of ³Good Response² for
> Non-Issued Certificates
>
> Given that several CAs have notified the CA/Browser Forum that they will be
> unable to comply with the 1-August-2013 deadline by which OCSP responders MUST
> NOT respond with a "good" status for unissued certificates, and that a
> one-year extension of this deadline is an appropriate timeframe by which these
> CAs should be able to come into compliance;
>
> Kelvin Yiu made the following motion, and ___ from ____ and _______ from
> _______ endorsed it:
>
> Motion Begins
>
> EFFECTIVE RETROACTIVELY TO 1 AUGUST 2013,
>
> The last sentence of Section 13.2.6 of the Baseline Requirements (Response for
> non-issued certificates) is hereby amended to read as follows:
>
> ³Effective 1 August 2014, OCSP responders MUST NOT respond with a "good"
> status for such certificates.²
>
> Motion Ends
>
> Thanks,
>
> Kelvin
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list
Public at cabforum.org https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130723/7f307b93/attachment.html
More information about the Public
mailing list