[cabfpub] Ballot 103 - OCSP Staping and TLS Security Policy Extension
Ben Wilson
ben at digicert.com
Tue Oct 15 12:18:23 MST 2013
Bruce and all,
If the following language "this field MUST be marked critical" is removed
from subsection (4) of the ballot, does that satisfy everyone's concerns?
See restated ballot below.
Ben
Ballot 103 - OCSP Stapling and TLS Security Policy Extension
Explanation - This motion is made to clarify and simplify language about
OCSP stapling and to promote the development and use of OCSP Stapling by
allowing certificates to contain a TLS Security Policy Extension.
Ben Wilson of DigiCert made the following motion, and Robin Alden from
Comodo and ______ from _______ endorsed it:
Motion Begins
EFFECTIVE IMMEDIATELY, in order to clarify language in section 13.2.1 of the
Baseline Requirements and in Appendix B concerning
authorityInformationaccess (AIA), and allow use of the TLS Security Policy
Extension, we propose the following amendments:
(1) Delete the second paragraph of Section 13.2.1 "Mechanisms" so that as
amended the section will read as follows:
"13.2.1 Mechanisms
The CA SHALL make revocation information for Subordinate Certificates and
Subscriber Certificates available in accordance with Appendix B."
(2) In Appendix B "(2) Subordinate CA Certificate" replace point C.
authorityInformationAccess with:
C. authorityInformationAccess
This extension MUST be present. It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1).
For Certificates that are not issued by a Root CA, this extension SHOULD
contain the HTTP URL where a copy of the Issuing CA's certificate
(accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online
repository.
(3) In Appendix B "(3) Subscriber Certificate" replace point C.
authorityInformationAccess with:
C. authorityInformationAccess
This extension MUST be present. It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1).
This extension SHOULD contain the HTTP URL where a copy of the Issuing CA's
certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a
24x7 online repository.
(4) In Appendix B "(3) Subscriber Certificate" replace point D.
basicConstraints (optional) with:
D. basicConstraints (optional)
If present, the cA field MUST be set to false.
(5) In Appendix B "(3) Subscriber Certificate" after point F insert a new
point G (TLS Security Policy Extension) as follows:
G. TLS Security Policy Extension (optional)
Subscriber Certificates MAY contain the TLS Security Policy Extension
[http://datatracker.ietf.org/doc/draft-hallambaker-tlssecuritypolicy/]
advertising that the status_request feature of OCSP stapling is available
and supported by the Subscriber. If present, this field SHOULD NOT be marked
critical.
=====Motion Ends=====
-----Original Message-----
From: Bruce Morton [mailto:bruce.morton at entrust.com]
Sent: Thursday, September 05, 2013 10:58 AM
To: ben at digicert.com; questions at cabforum.org
Subject: RE: [cabfpub] Ballot 103 - OCSP Staping and TLS Security Policy
Extension
Ben,
The ballot requires for Subscriber Certificates that the optional OID of
basicConstraints be set to critical. I'm not sure why this optional OID
needs to be set at critical, but if it does then some CAs will have to make
a change. As such, I do not believe that the ballot should be "EFFECTIVE
IMMEDIATELY."
Just so we understand, can someone please advise why the basicConstraints
OID needs to be set as critical for a Subscriber Certificate.
Thanks, Bruce.
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Wednesday, September 04, 2013 6:22 PM
To: public at cabforum.org
Subject: [cabfpub] Ballot 103 - OCSP Staping and TLS Security Policy
Extension
Robin,
If this draft is acceptable, then we would only be looking for one more
endorser. Please let me know.
Thanks,
Ben
Ballot 103 - OCSP Stapling and TLS Security Policy Extension
Explanation - This motion is made to clarify and simplify language about
OCSP stapling and to promote the development and use of OCSP Stapling by
allowing certificates to contain a TLS Security Policy Extension.
Ben Wilson of DigiCert made the following motion, and Robin Alden from
Comodo and ______ from _______ endorsed it:
Motion Begins
EFFECTIVE IMMEDIATELY, in order to clarify language in section 13.2.1 of the
Baseline Requirements and in Appendix B concerning
authorityInformationaccess (AIA), and allow use of the TLS Security Policy
Extension, we propose the following amendments:
(1) Delete the second paragraph of Section 13.2.1 "Mechanisms" so that as
amended the section will read as follows:
"13.2.1 Mechanisms
The CA SHALL make revocation information for Subordinate Certificates and
Subscriber Certificates available in accordance with Appendix B."
(2) In Appendix B "(2) Subordinate CA Certificate" replace point C.
authorityInformationAccess with:
C. authorityInformationAccess
This extension MUST be present. It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1).
For Certificates that are not issued by a Root CA, this extension SHOULD
contain the HTTP URL where a copy of the Issuing CA's certificate
(accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online
repository.
(3) In Appendix B "(3) Subscriber Certificate" replace point C.
authorityInformationAccess with:
C. authorityInformationAccess
This extension MUST be present. It MUST NOT be marked critical, and it MUST
contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod =
1.3.6.1.5.5.7.48.1).
This extension SHOULD contain the HTTP URL where a copy of the Issuing CA's
certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a
24x7 online repository.
(4) In Appendix B "(3) Subscriber Certificate" replace point D.
basicConstraints (optional) with:
D. basicConstraints (optional)
If present, this field MUST be marked critical, and the cA field MUST be set
to false.
(5) In Appendix B "(3) Subscriber Certificate" after point F insert a new
point G (TLS Security Policy Extension) as follows:
G. TLS Security Policy Extension (optional)
Subscriber Certificates MAY contain the TLS Security Policy Extension
[http://datatracker.ietf.org/doc/draft-hallambaker-tlssecuritypolicy/]
advertising that the status_request feature of OCSP stapling is available
and supported by the Subscriber. If present, this field SHOULD NOT be marked
critical.
=====Motion Ends=====
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20131015/de4b3d44/attachment.bin
More information about the Public
mailing list