[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Oct 18 03:37:56 MST 2019

On 18/10/2019 10:10 π.μ., Dimitris Zacharopoulos (HARICA) via 
Servercert-wg wrote:
> On 2019-10-17 9:33 μ.μ., Ryan Sleevi via Servercert-wg wrote:
>> The suggested resolution was a ballot that *only* changes 4.9.10, to say
>> If the OCSP responder receives an OCSP request for the status of a 
>> serial number that has not been reserved or assigned, using any 
>> current or previous issuing key for the CA subject, then the 
>> responder SHOULD NOT respond with a "good" status. A serial number is 
>> considered reserved if it has appeared within a Precertificate, as 
>> described within RFC 6962, associated with that CA subject, either 
>> directly or via a Precertificate Signing Certificate. A serial number 
>> is considered assigned if it has appeared within a Certificate 
>> associated with that CA subject. OCSP responders for CAs that are not 
>> Technically Constrained in line with Section 7.1.5 MUST NOT respond 
>> with a "good" status for such certificates. The CA SHOULD monitor the 
>> responder for such requests as part of its security response procedures.
> I believe this language is very difficult to understand, at least for 
> me. Perhaps we should break down these sentences defining what it 
> means for a serial number to be "reserved" or "assigned" (we don't 
> need to add in section 1.6.1) and then state the requirements. I think 
> it would be easier to read.
> I also think that we no longer need to differentiate between 
> Technically Constrained subCAs and unconstrained ones. They all must 
> adhere to the MUST rule since 2013-08-01.

I was under the impression that the SHOULD was for Technically 
Constrained subCAs and there was a rule to change them to MUST after 
2013-08-01. This is not the case so the commit related to the removal of 
effective date for TCSCAs is fine.

I recall this being discussed at some point and there was intent to 
require this from Technically constrained subCAs but I can't dig up the 
archives now.


> Dimitris.
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

More information about the Servercert-wg mailing list