[cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP good response for non-issued certificates

Steve Roylance steve.roylance at globalsign.com
Tue Jul 23 17:55:36 UTC 2013


Hi Kelvin,

I also think it's also vitally important to include some of the other
stakeholders -  (Certificate Authority platform providers like
Primekey/Ascerita/Microsoft/Entrust etc and OCSP responder service providers
like Corestreet).

Ideally we should list compliant solutions on the CABForum website so that
there's some small pressure to meet the new deadlines (small carrot rather
than small stick).  That was my main point when I first raised the
suggestion a while ago so I want to ensure it's followed up again here.

Hopefully ballot 105 will pass to allow an alternative for those who are
able constrain.  (Not to lessen the effect of the request to platform
providers, but to ensure choice in the market for consumers)

Steve

From:  Kelvin Yiu <kelviny at exchange.microsoft.com>
Date:  Tuesday, 23 July 2013 17:48
To:  Ryan Hurst <ryan.hurst at globalsign.com>
Cc:  "public at cabforum.org" <public at cabforum.org>
Subject:  Re: [cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit
OCSP good response for non-issued certificates

Thanks Ryan. I agree that browser vendors should take action to ensure all
CAs in their relative root CA program are aware of the requirement and
deadline. 
 
I also think the forum need to accomplish 2 tasks before we talk to the
remaining CAs:
 
1.      Complete the assessment the product support by commercial OCSP
vendors

2.      Re-examine the security implications of the requirement on the
ability to limit network access by CA servers

 
Kelvin
 

From: Ryan Hurst [mailto:ryan.hurst at globalsign.com]
Sent: Monday, July 22, 2013 9:59 PM
To: Kelvin Yiu
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 106 DRAFT - Extended deadline to prohibit OCSP
good response for non-issued certificates
 

You have an endorser in me but I would like to see us agree to take some
action to ensure we're not just going to slip the date again.

 

Can the browsers agree to notify all CAs who are not part of this group of
the impending date?

Ryan Hurst

Chief Technology Officer

GMO Globalsign

 

twitter: @rmhrisk

email: ryan.hurst at globalsign.com

phone: 206-650-7926

 

Sent from my phone, please forgive the brevity.


On Jul 23, 2013, at 3:14 AM, Kelvin Yiu <kelviny at exchange.microsoft.com>
wrote:
> 
> I am looking for 2 endorsers of ballot 106 to extend the deadline to prohibit
> OCSP good response for non-issued certificates by 1 year. I am somewhat
> flexible on the date, but I do think it should be extended by at least 6-12
> months to give CAs enough time to comply. Here is the draft motion.
>  
>  
>  
> Ballot 106 ­ Extension of Deadline for Prohibition of ³Good Response² for
> Non-Issued Certificates
>  
> Given that several CAs have notified the CA/Browser Forum that they will be
> unable to comply with the 1-August-2013 deadline by which OCSP responders MUST
> NOT respond with a "good" status for unissued certificates,  and that a
> one-year extension of this deadline is an appropriate timeframe by which these
> CAs should be able to come into compliance;
>  
> Kelvin Yiu made the following motion, and ___ from ____ and _______ from
> _______ endorsed it:
>  
> Motion Begins 
>  
> EFFECTIVE RETROACTIVELY TO 1 AUGUST 2013,
>  
> The last sentence of Section 13.2.6 of the Baseline Requirements (Response for
> non-issued certificates) is hereby amended to read as follows:
>  
> ³Effective 1 August 2014, OCSP responders MUST NOT respond with a "good"
> status for such certificates.²
>  
> Motion Ends
>  
> Thanks,
>  
> Kelvin
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list
Public at cabforum.org https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130723/7f307b93/attachment-0003.html>


More information about the Public mailing list