[cabfpub] Ballot 167 - Baseline Requirements Corrections
sleevi at google.com
Fri Apr 15 19:12:32 UTC 2016
On Fri, Apr 15, 2016 at 12:03 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> The BRs require responding "revoked" if the certificate has not been
> issued while the RFCs specified that the CA should respond "Good".
Section 4.9.10 of BRs 1.3.4
If the OCSP responder receives a request for status of a certificate that
has not been issued, then the responder SHOULD NOT respond with a "good"
status. The CA SHOULD monitor the responder for such requests as part of
its security response procedures. Effective 1 August 2013, OCSP responders
for CAs which are not Technically Constrained in line with Section 7.1.5
MUST NOT respond with a "good" status for such certificates.
The requirement is that they don't respond "Good", not that they respond
> There is one issue I'm looking at that I plan to ballot soon (although I'm
> still doing research on the number of instances impacted). Microsoft
> crypto pre-Windows 10 does not support IP Address in the SAN:iPAddress. It
> must be in SAN:DNS. Considering that Windows 8 has not been deprecated,
> I'm planning on a ballot that would permit SAN:DNS to have IP Addresses
> until Windows 8 is no longer a factor. Any support for this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public