[cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP good response for non-issued certificates

Kelvin Yiu kelviny at exchange.microsoft.com
Tue Jul 23 16:48:46 UTC 2013


Thanks Ryan. I agree that browser vendors should take action to ensure all CAs in their relative root CA program are aware of the requirement and deadline.

I also think the forum need to accomplish 2 tasks before we talk to the remaining CAs:


1.       Complete the assessment the product support by commercial OCSP vendors

2.       Re-examine the security implications of the requirement on the ability to limit network access by CA servers

Kelvin

From: Ryan Hurst [mailto:ryan.hurst at globalsign.com]
Sent: Monday, July 22, 2013 9:59 PM
To: Kelvin Yiu
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP good response for non-issued certificates

You have an endorser in me but I would like to see us agree to take some action to ensure we're not just going to slip the date again.

Can the browsers agree to notify all CAs who are not part of this group of the impending date?

Ryan Hurst
Chief Technology Officer
GMO Globalsign

twitter: @rmhrisk
email: ryan.hurst at globalsign.com<mailto:ryan.hurst at globalsign.com>
phone: 206-650-7926

Sent from my phone, please forgive the brevity.

On Jul 23, 2013, at 3:14 AM, Kelvin Yiu <kelviny at exchange.microsoft.com<mailto:kelviny at exchange.microsoft.com>> wrote:
I am looking for 2 endorsers of ballot 106 to extend the deadline to prohibit OCSP good response for non-issued certificates by 1 year. I am somewhat flexible on the date, but I do think it should be extended by at least 6-12 months to give CAs enough time to comply. Here is the draft motion.



Ballot 106 – Extension of Deadline for Prohibition of “Good Response” for Non-Issued Certificates

Given that several CAs have notified the CA/Browser Forum that they will be unable to comply with the 1-August-2013 deadline by which OCSP responders MUST NOT respond with a "good" status for unissued certificates,  and that a one-year extension of this deadline is an appropriate timeframe by which these CAs should be able to come into compliance;

Kelvin Yiu made the following motion, and ___ from ____ and _______ from _______ endorsed it:

Motion Begins

EFFECTIVE RETROACTIVELY TO 1 AUGUST 2013,

The last sentence of Section 13.2.6 of the Baseline Requirements (Response for non-issued certificates) is hereby amended to read as follows:

“Effective 1 August 2014, OCSP responders MUST NOT respond with a "good" status for such certificates.”

Motion Ends

Thanks,

Kelvin
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130723/d6598024/attachment-0003.html>


More information about the Public mailing list