[cabfpub] Ballot 100: Extend Deadline - OCSP Good Response

Joseph.R.Kaluzny at wellsfargo.com Joseph.R.Kaluzny at wellsfargo.com
Fri May 24 07:59:10 MST 2013


To add a little history for this particular topic.. we approached Microsoft with this concern about a year ago and after learning support was not planned, did approach the CAB and raised this as an issue for compliance. Response a year ago from CAB was that it would be re-evaluated this year again to see where the industry is at since it was well known that some vendors were out of compliance when this was put into the BR. Since we were told it would be re-evaluated our expectations were that the BR would be adjusted based on current conditions. Vendors have not all come up to compliance as  hoped for so the BR should really be adjusted to allow those remaining products to be updated or for customers to move off those platforms.  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of i-barreira at izenpe.net
Sent: Friday, May 24, 2013 2:37 AM
To: yngve at spec-work.net; public at cabforum.org
Subject: Re: [cabfpub] Ballot 100: Extend Deadline - OCSP Good Response

All, I think I said this several times but we´re still falling in the same situation. Why? We tend to put "effective date" when later on we have to change for any reason, whatever. Why august 2013 is not ok and will be august 2014? Are you sure of this? What will happen if Corestreet (this name has been mentioned) is not ready in august 2014 for any reason? Another extension?
If we want to get or to be credible we are supposed to accomplish these dates, because supposedly we have agreed them for some reason, and this is not happening at any time. 
We, Izenpe, are a very small CSP but trying (and doing) to meet all these requirements, but it´s not fair that I can or have to do it since others can´t make it.

Anyway, I´m agree with Yngve, it´s disappointed and I´m afraid that if we don´t change this "effective date" method I´ll have to vote NO for this time (but well, it´s just one vote)

Regards


Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net
945067705


ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Yngve N. Pettersen Enviado el: jueves, 23 de mayo de 2013 22:51
Para: public at cabforum.org
Asunto: Re: [cabfpub] Ballot 100: Extend Deadline - OCSP Good Response

Hello all,

Needless to say, I am disappointed to see such a ballot.

As part of the discussion of this ballot, may I suggest that the known vendors and products that can't meet the original deadline and the affected CAs be listed? (just use alphabetic listing, no need to connect the names from each category with each other.) I think knowing the extent of the problem is necessary for the discussion. It might also be an idea to consider if the vendors should be allowed to be part of the discussion.

Also, I would suggest that the original "SHOULD NOT" deadline of February 1, 2013 be kept, unless there are good reasons to move it to August.


On Thu, 23 May 2013 22:19:44 +0200, Ben Wilson <ben at digicert.com> wrote:

> Ballot 100 - Extend Deadline - OCSP Good Response
>
>
> Motion:
>
>
> Joe Kaluzny made the following motion, and Stephen Davidson and Steve 
> Roylance endorsed it:
>
> ---
>
>
> Motion begins
>
> ---
>
>
> EFFECTIVE IMMEDIATELY, in order to allow third party vendors of OCSP 
> responders to enable their software to support the requirement, we 
> propose extending the compliance deadline for section 13.2.6 with the 
> following
> erratum:
>
> ---
>
>
> Erratum begins
>
>
> ---
>
>
> In Section 13.2.6 of the Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates, DELETE:
>
>
> 13.2.6 Response for non-issued certificates
>
>
> If the OCSP responder receives a request for status of a certificate 
> that has not been issued, then the responder SHOULD NOT respond with a "good"
> status. The CA SHOULD monitor the responder for such requests as part 
> of its security response procedures.
>
>
> Effective 1 August 2013, OCSP responders MUST NOT respond with a "good"
> status for such certificates.
>
>
> And INSERT:
>
>
> 13.2.6 Response for non-issued certificates
>
>
> If the OCSP responder receives a request for status of a certificate 
> that has not been issued, then the responder SHOULD NOT respond with a "good"
> status. The CA SHOULD monitor the responder for such requests as part 
> of its security response procedures.
>
>
> Effective 1 August 2013, OCSP responders SHOULD NOT respond with a "good"
> status for such certificates.
>
>
> Effective 1 August 2014, OCSP responders MUST NOT respond with a "good"
> status for such certificates.
>
>
> ---
>
>
> Erratum ends
>
>
> ---
>
> The ballot review period comes into effect at 2100 UTC on 23 May 2013 and
> will close at 2100 UTC on 30 May 2013. Unless the motion is withdrawn  
> during
> the review period, the voting period will start immediately thereafter  
> and
> will close at 2100 UTC on 6 June 2013.
>
> Votes must be cast by an on-list reply to this thread.
>
>
> A vote in favor of the motion must indicate a clear 'yes' in the  
> response. A
> vote against must indicate a clear 'no' in the response. A vote to  
> abstain
> must indicate a clear 'abstain' in the response. Unclear responses will  
> not
> be counted.
>
>
> The latest vote received from any representative of a voting member  
> before
> the close of the voting period will be counted.
>
> ---
>
>
> Motion ends
>
> ---
>
>
> Voting members are listed here: http://www.cabforum.org/forum.html
>
>
> In order for the motion to be adopted, two thirds or more of the votes  
> cast
> by members in the CA category and one half or more of the votes cast by
> members in the browser category must be in favor. The current quorum  
> number
> is seven. Therefore, at least seven members must participate in the  
> ballot,
> either by voting in favor, voting against, or indicating their  
> abstention.
>
>


-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list