[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Geoff Keating geoffk at apple.com
Tue Jul 23 12:37:51 MST 2013


On 23 Jul 2013, at 11:50 am, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:

> On 07/23/2013 09:40 PM, From Steve Roylance:
>> Hi Eddy. 
>> Ryan is correct as the ballot carves out Name Constrained CAs and is under vote already.   The 106 ballot allows grace to the non name constrained entities.
> 
> Since it's your ballot I'm coming back to you...the proposed change states:
> 
> Effective 1 August 2013, OCSP responders for MUST NOT CAs which are not Technically Constrained in line with Section 9.7 MUST NOT respond with a "good" status for such certificates.
> 
> Can you explain the rational if the ballot 106 will be accepted that this is still necessary and warranted? Wouldn't ballot 106 actually make this redundant? If not, why?

As I read it, ballot 106 only changes the date to 2014, while this makes the exception permanent for Technically Constrained CAs.

At this time I'm inclined to oppose ballot 106, for two reasons:

1. I think an extra year is too long.  I would suggest more like 3 months.
2. I'm not convinced that there are any CAs for which more time will help; the CAs who aren't complying now don't appear to have definite plans which will achieve compliance nor definite dates by which they can comply.

On the overall topic, I would make this statement: Our software can do only one of two things in response to an OCSP query: it can treat the certificate as valid, or as invalid.  A 'good' response can only be interpreted one way: as an affirmative statement from the CA that our software should treat the certificate as valid.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130723/8d533a9a/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130723/8d533a9a/attachment.bin 


More information about the Public mailing list