[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Stephen Davidson S.Davidson at quovadisglobal.com
Wed Jul 24 05:31:40 MST 2013


"If you can't provide this, we will need to switch vendor"

This only works when there is an array of vendors that support the changed
requirement.  There were not.  Some of the third party vendors only
supported whitelist when used with their own PKI.  For some of the more
commonly used vendors, integration with third party PKI whitelists only
recently became possible (or is still under development).

"it is the CAs' responsibility to ensure they meet the requirements"

Clearly the dozen or so CAs in that are active in the CA/B Forum were aware
of the change and are implementing it.  There are many other public CAs
around the world who do SSL on a smaller scale and were informed by the
browsers that they must comply the BR.  We have no idea how many of them
have implemented the change to OCSP whitelist.  I guess we'll soon find out.
So, I disagree:  when the CA/B Forum changes something that is an accepted
norm in the industry, and we are serious about driving adoption, we have a
responsibility to focus attention on the change and explain what it means.

Regards, Stephen


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Sigbjørn Vik
Sent: Wednesday, July 24, 2013 4:09 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good
response for non-issued certificates

On 23-Jul-13 22:20, Ben Wilson wrote:
> Corrected -
> 
> Ballot 106 – Extended Deadline to Prohibit OCSP “Good” Response for 
> Non-Issued Certificates

Opera votes NO

On 24-Jul-13 00:30, Stephen Davidson wrote:
> many CAs use OCSP software from external vendors.  CA/B Forum never 
> communicated with those vendors that it was changing, in effect, a 
> standard mode of operation.

It is not the responsibility of the CA/B Forum to contact OCSP vendors.
If their customers (CAs) have new requirements, it is the CAs'
responsibility to ensure they meet the requirements. Typically this is done
by informing the vendor that "After date X, we need support for Y.
If you can't provide this, we will need to switch vendor." Blaming OCSP
vendors is missing the mark, any CAs who failed to require proper support
from their vendors and subsequently failed to switch vendors, have nobody
but themselves to blame.

On 24-Jul-13 00:34, Kelvin Yiu wrote:
> I do not want CAs
> to rush the deployment OCSP responders where the OCSP responder may 
> require network access to the CA server to obtain the real time \ 
> status of certificates.

Setting the OCSP responder up as a network bridge does indeed sound like an
unwise setup. A much better solution would presumably be to push new serials
to the responder, it would completely avoid the issues you are concerned
about. This is e.g. how CT will operate.


--
Sigbjørn Vik
Opera Software
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5494 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130724/d7213454/attachment.bin 


More information about the Public mailing list