[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Oct 18 00:10:00 MST 2019

On 2019-10-17 9:33 μ.μ., Ryan Sleevi via Servercert-wg wrote:
> The suggested resolution was a ballot that *only* changes 4.9.10, to say
> If the OCSP responder receives an OCSP request for the status of a 
> serial number that has not been reserved or assigned, using any 
> current or previous issuing key for the CA subject, then the responder 
> SHOULD NOT respond with a "good" status. A serial number is considered 
> reserved if it has appeared within a Precertificate, as described 
> within RFC 6962, associated with that CA subject, either directly or 
> via a Precertificate Signing Certificate. A serial number is 
> considered assigned if it has appeared within a Certificate associated 
> with that CA subject. OCSP responders for CAs that are not Technically 
> Constrained in line with Section 7.1.5 MUST NOT respond with a "good" 
> status for such certificates. The CA SHOULD monitor the responder for 
> such requests as part of its security response procedures.

I believe this language is very difficult to understand, at least for 
me. Perhaps we should break down these sentences defining what it means 
for a serial number to be "reserved" or "assigned" (we don't need to add 
in section 1.6.1) and then state the requirements. I think it would be 
easier to read.

I also think that we no longer need to differentiate between Technically 
Constrained subCAs and unconstrained ones. They all must adhere to the 
MUST rule since 2013-08-01.


More information about the Servercert-wg mailing list