[cabfpub] Ballot 103 - OCSP Staping and TLS Security Policy Extension

Robin Alden robin at comodo.com
Thu Sep 5 16:08:45 UTC 2013


Hi Ben,
	Yes, we'll endorse.

For the authorityInformationAccess, where you say
"This extension MUST be present. It MUST NOT be marked critical, and it
MUST contain the HTTP URL.."

I think there may be a case for allowing it to be marked critical if a
CA really wants to.  I can see good reasons for not doing so in the
general case, but do we really want to preclude it?

So I guess I'm saying that the "MUST NOT" there could perhaps be a
"SHOULD NOT".

Do you have a strong opinion on that element?

Regards
Robin


> -----Original Message-----
> From: Ben Wilson [mailto:ben at digicert.com]
> Sent: 04 September 2013 23:22
> To: public at cabforum.org
> Cc: 'Robin Alden'; 'Rob Stradling'
> Subject: Ballot 103 - OCSP Staping and TLS Security Policy Extension
> 
> Robin,
> If this draft is acceptable, then we would only be looking for one
more
> endorser.  Please let me know.
> Thanks,
> Ben
> 
> Ballot 103 - OCSP Stapling and TLS Security Policy Extension
> 
> Explanation - This motion is made to clarify and simplify language
about
> OCSP stapling and to promote the development and use of OCSP
> Stapling by
> allowing certificates to contain a TLS Security Policy Extension.
> 
> Ben Wilson of DigiCert made the following motion, and Robin Alden from
> Comodo and ______ from _______ endorsed it:
> 
> Motion Begins
> 
> EFFECTIVE IMMEDIATELY, in order to clarify language in section 13.2.1
of
> the
> Baseline Requirements and in Appendix B concerning
> authorityInformationaccess (AIA), and allow use of the TLS Security
> Policy
> Extension, we propose the following amendments:
> 
> (1) Delete  the second paragraph of Section 13.2.1 "Mechanisms" so
that
> as
> amended the section will read as follows:
> 
> "13.2.1 Mechanisms
> 
> The CA SHALL make revocation information for Subordinate Certificates
> and
> Subscriber Certificates available in accordance with Appendix B."
> 
> (2) In Appendix B "(2) Subordinate CA Certificate" replace point C.
> authorityInformationAccess with:
> 
> C. authorityInformationAccess
> 
> This extension MUST be present. It MUST NOT be marked critical, and it
> MUST
> contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod
> =
> 1.3.6.1.5.5.7.48.1).
> 
> For Certificates that are not issued by a Root CA, this extension
SHOULD
> contain the HTTP URL where a copy of the Issuing CA's certificate
> (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7
> online
> repository.
> 
> (3) In Appendix B "(3) Subscriber Certificate" replace point C.
> authorityInformationAccess with:
> 
>     C. authorityInformationAccess
> 
> This extension MUST be present. It MUST NOT be marked critical, and it
> MUST
> contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod
> =
> 1.3.6.1.5.5.7.48.1).
> 
> This extension SHOULD contain the HTTP URL where a copy of the Issuing
> CA's
> certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from
a
> 24x7 online repository.
> 
> (4) In Appendix B "(3) Subscriber Certificate" replace point D.
> basicConstraints (optional) with:
> 
> D. basicConstraints (optional)
> If present, this field MUST be marked critical, and the cA field MUST
be
> set
> to false.
> 
> (5) In Appendix B "(3) Subscriber Certificate" after point F insert a
new
> point G (TLS Security Policy Extension) as follows:
> 
> G. TLS Security Policy Extension (optional)
> 
> Subscriber Certificates MAY contain the TLS Security Policy Extension
> [http://datatracker.ietf.org/doc/draft-hallambaker-tlssecuritypolicy/]
> advertising that the status_request feature of OCSP stapling is
available
> and supported by the Subscriber. If present, this field SHOULD NOT be
> marked
> critical.
> 
> =====Motion Ends=====
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5246 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130905/b1a34e6a/attachment-0001.p7s>


More information about the Public mailing list