[Servercert-wg] Aligning the BRs with existing Browser Requirements
Ryan Sleevi
sleevi at google.com
Sat Oct 12 11:06:05 MST 2019
In the short time since sending this, I've already had someone point me to
another Root Program requirement that overrides or goes above and beyond
the BRs.
The requirements on OCSP for Subscriber certificates are updated to align
with the requirements placed by Microsoft:
- The BRs allow for the omission of the OCSP responder, if and only if
it's for a high-traffic FQDN (an undefined term in terms of degree), and if
the CA contractually or technically enforces this.
- Microsoft requires OCSP support in all end-entity certificates,
regardless of the stapling status (
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#a-root-requirements
#5)
- The BRs permit omitting OCSP responder URLs from intermediates if the
server staples according to RFC4366. However, RFC 4366 does not allow
stapling intermediate responses (that's RFC 6961, now obsoleted by RFC
8446), so there was never a way a CA could legitimately comply with the
provisions here in a way that permitted omission for intermediates.
- This updates Section 4.9.11 to remove the contract language, Section
7.1.2.2(c) to reflect it was never possible, and Section 7.1.2.3(c) to
reflect that Microsoft policy does not permit this, despite the BRs
allowing it.
You can see that change in isolation at
https://github.com/cabforum/documents/commit/5c40604fecffecfdc889e225fe60d717c17af583
,
or the overall set of changes continue to be available at
https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191012/c5093e7c/attachment.html>
More information about the Servercert-wg
mailing list