[cabfpub] Ballot 100: Extend Deadline - OCSP Good Response

Yngve N. Pettersen yngve at spec-work.net
Thu May 23 20:50:55 UTC 2013


Hello all,

Needless to say, I am disappointed to see such a ballot.

As part of the discussion of this ballot, may I suggest that the known  
vendors and products that can't meet the original deadline and the  
affected CAs be listed? (just use alphabetic listing, no need to connect  
the names from each category with each other.) I think knowing the extent  
of the problem is necessary for the discussion. It might also be an idea  
to consider if the vendors should be allowed to be part of the discussion.

Also, I would suggest that the original "SHOULD NOT" deadline of February  
1, 2013 be kept, unless there are good reasons to move it to August.


On Thu, 23 May 2013 22:19:44 +0200, Ben Wilson <ben at digicert.com> wrote:

> Ballot 100 - Extend Deadline - OCSP Good Response
>
>
> Motion:
>
>
> Joe Kaluzny made the following motion, and Stephen Davidson and Steve
> Roylance endorsed it:
>
> ---
>
>
> Motion begins
>
> ---
>
>
> EFFECTIVE IMMEDIATELY, in order to allow third party vendors of OCSP
> responders to enable their software to support the requirement, we  
> propose
> extending the compliance deadline for section 13.2.6 with the following
> erratum:
>
> ---
>
>
> Erratum begins
>
>
> ---
>
>
> In Section 13.2.6 of the Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates, DELETE:
>
>
> 13.2.6 Response for non-issued certificates
>
>
> If the OCSP responder receives a request for status of a certificate that
> has not been issued, then the responder SHOULD NOT respond with a "good"
> status. The CA SHOULD monitor the responder for such requests as part of  
> its
> security response procedures.
>
>
> Effective 1 August 2013, OCSP responders MUST NOT respond with a "good"
> status for such certificates.
>
>
> And INSERT:
>
>
> 13.2.6 Response for non-issued certificates
>
>
> If the OCSP responder receives a request for status of a certificate that
> has not been issued, then the responder SHOULD NOT respond with a "good"
> status. The CA SHOULD monitor the responder for such requests as part of  
> its
> security response procedures.
>
>
> Effective 1 August 2013, OCSP responders SHOULD NOT respond with a "good"
> status for such certificates.
>
>
> Effective 1 August 2014, OCSP responders MUST NOT respond with a "good"
> status for such certificates.
>
>
> ---
>
>
> Erratum ends
>
>
> ---
>
> The ballot review period comes into effect at 2100 UTC on 23 May 2013 and
> will close at 2100 UTC on 30 May 2013. Unless the motion is withdrawn  
> during
> the review period, the voting period will start immediately thereafter  
> and
> will close at 2100 UTC on 6 June 2013.
>
> Votes must be cast by an on-list reply to this thread.
>
>
> A vote in favor of the motion must indicate a clear 'yes' in the  
> response. A
> vote against must indicate a clear 'no' in the response. A vote to  
> abstain
> must indicate a clear 'abstain' in the response. Unclear responses will  
> not
> be counted.
>
>
> The latest vote received from any representative of a voting member  
> before
> the close of the voting period will be counted.
>
> ---
>
>
> Motion ends
>
> ---
>
>
> Voting members are listed here: http://www.cabforum.org/forum.html
>
>
> In order for the motion to be adopted, two thirds or more of the votes  
> cast
> by members in the CA category and one half or more of the votes cast by
> members in the browser category must be in favor. The current quorum  
> number
> is seven. Therefore, at least seven members must participate in the  
> ballot,
> either by voting in favor, voting against, or indicating their  
> abstention.
>
>


-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/



More information about the Public mailing list