[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Kelvin Yiu kelviny at exchange.microsoft.com
Tue Jul 23 15:34:15 MST 2013 

I don't disagree that this is an eleventh hour ballot and I think we can take more time to discuss and fine tune the proposal. I do think a 90 day extension is too short and I want to give the Forum enough time to find the right solution.

Kelvin

From: Rich Smith [mailto:richard.smith at comodo.com]
Sent: Tuesday, July 23, 2013 1:22 PM
To: ben at digicert.com; public at cabforum.org; Kelvin Yiu
Subject: RE: [cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Kelvin,
I'm against this ballot.  Not because I necessarily believe that we shouldn't allow more time to comply, but because this ballot is, necessarily due to the impending deadline, being rushed through and it adds a full year to the current deadline.  I don't think that is warranted today, or at least I don't think we currently have enough information to say it's warranted, or that we will not just be rushing to extend it or do away with it again next year.

I think that if we are going to extend the deadline with a rushed, eleventh hour ballot we should only extend it by 90 days.  Tom made some valid points regarding this requirement possibly presenting some security concerns for enterprises and in light of that I'm open to some additional discussion and study of the ramifications of this requirement.  90 days should be ample time to gather additional information and discuss this in more depth than we can do in the next 2 weeks, with the deadline looming and many people in summer holiday mode.  Towards the end of the 90 day extension, based upon study, discussion, and hopefully some additional knowledge of the overall situation perhaps we can then discuss pushing the deadline to August 1, 2014, but IMO going that far out without having some significant questions answered is ill-advised.

Regards,
Rich

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Tuesday, July 23, 2013 12:44 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Ballot 106 - Extended Deadline to Prohibit OCSP "Good" Response for  Non-Issued Certificates

Given that several CAs have notified the CA/Browser Forum that they will be unable to comply with the 1-August-2013 deadline by which OCSP responders MUST NOT respond with a "good" status for unissued certificates, and that a one-year extension of this deadline is an appropriate timeframe by which these CAs should be able to come into compliance;

Kelvin Yiu made the following motion, and Eddy Nigg from StartCom,  Ryan Hurst from GlobalSign,  and Iida Yosiaki from SECOM, and Inigo Barreira of Izenpe endorsed it:

Motion Begins

EFFECTIVE RETROACTIVELY TO 1 AUGUST 2013,

The last sentence of Section 13.2.6 of the Baseline Requirements (Response for non-issued certificates) is hereby amended to read as follows:

"Effective 1 August 2014, OCSP responders MUST NOT respond with a "good" status for such certificates."

Motion Ends

The ballot review period comes into effect immediately upon posting today (Tuesday, 23 July 2013) and will close at 2200 UTC on Tuesday, 30 July 2013.  Unless the ballot is withdrawn or modified during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on Tuesday, 6 August 2013.  If the ballot is modified for reasons other than to correct minor typographical errors, then the ballot will be deemed to have been withdrawn.

Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the ballot must indicate a clear 'yes' in the response.

A vote against the ballot must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Voting members are listed here: http://www.cabforum.org/forum.html

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and more than one half of the votes cast by members in the browser category must be in favor. Also, quorum is currently set at seven (7) members-- at least seven members must participate in the ballot, either by voting in favor, voting against, or by abstaining for the vote to be valid.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130723/c0979a52/attachment-0001.html

More information about the Public mailing list