[cabfpub] Ballot 167 - Baseline Requirements Corrections

Ryan Sleevi sleevi at google.com
Fri Apr 15 19:12:32 UTC 2016

On Fri, Apr 15, 2016 at 12:03 PM, Jeremy Rowley <jeremy.rowley at digicert.com>

> The BRs require responding "revoked" if the certificate has not been
> issued while the RFCs specified that the CA should respond "Good".


Section 4.9.10 of BRs 1.3.4

If the OCSP responder receives a request for status of a certificate that
has not been issued, then the responder SHOULD NOT respond with a "good"
status. The CA SHOULD monitor the responder for such requests as part of
its security response procedures. Effective 1 August 2013, OCSP responders
for CAs which are not Technically Constrained in line with Section 7.1.5
MUST NOT respond with a "good" status for such certificates.

The requirement is that they don't respond "Good", not that they respond

> There is one issue I'm looking at that I plan to ballot soon (although I'm
> still doing research on the number of instances impacted).  Microsoft
> crypto pre-Windows 10 does not support IP Address in the SAN:iPAddress. It
> must be in SAN:DNS.  Considering that Windows 8 has not been deprecated,
> I'm planning on a ballot that would permit SAN:DNS to have IP Addresses
> until Windows 8 is no longer a factor. Any support for this?

Not here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160415/2a835a2d/attachment-0003.html>

More information about the Public mailing list