[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Oct 21 08:56:09 MST 2019 


On 2019-10-18 10:10 π.μ., Dimitris Zacharopoulos (HARICA) via 
Servercert-wg wrote:
>
>
> On 2019-10-17 9:33 μ.μ., Ryan Sleevi via Servercert-wg wrote:
>> The suggested resolution was a ballot that *only* changes 4.9.10, to say
>>
>> If the OCSP responder receives an OCSP request for the status of a 
>> serial number that has not been reserved or assigned, using any 
>> current or previous issuing key for the CA subject, then the 
>> responder SHOULD NOT respond with a "good" status. A serial number is 
>> considered reserved if it has appeared within a Precertificate, as 
>> described within RFC 6962, associated with that CA subject, either 
>> directly or via a Precertificate Signing Certificate. A serial number 
>> is considered assigned if it has appeared within a Certificate 
>> associated with that CA subject. OCSP responders for CAs that are not 
>> Technically Constrained in line with Section 7.1.5 MUST NOT respond 
>> with a "good" status for such certificates. The CA SHOULD monitor the 
>> responder for such requests as part of its security response procedures.
Here is the current 4.9.10:

"4.9.10 On-line revocation checking requirements
Effective 1 January 2013, the CA SHALL support an OCSP capability using 
the GET method for Certificates issued in accordance with these 
Requirements.

For the status of Subscriber Certificates:

The CA SHALL update information provided via an Online Certificate 
Status Protocol at least every four days. OCSP responses from this 
service MUST have a maximum expiration time of ten days.

For the status of Subordinate CA Certificates:

The CA SHALL update information provided via an Online Certificate 
Status Protocol at least (i) every twelve months and (ii) within 24 
hours after revoking a Subordinate CA Certificate.

If the OCSP responder receives a request for status of a certificate 
that has not been issued, then the responder SHOULD NOT respond with a 
"good" status. The CA SHOULD monitor the responder for such requests as 
part of its security response procedures.

Effective 1 August 2013, OCSP responders for CAs which are not 
Technically Constrained in line with Section 7.1.5 MUST NOT respond with 
a "good" status for such certificates."

I see an additional possible interpretation problem with the way this 
section is structured. It seems that the requirements apply differently 
to Subscriber and to CA Certificates because the last part is after the 
"For the status of Subordinate CA Certificate:" opening. This is clearly 
not the intent as these last two requirements are related to the status 
of "Subscriber Certificates".

Here is my proposed text for 4.9.10, clarifying some points and taking 
into account your suggestions:

"For the status of Subscriber and CA Certificates issued in accordance 
with these Requirements the CA SHALL support OCSP responses using the 
GET method.

For the status of Subscriber Certificates:

  * The CA SHALL update information provided via an Online Certificate
    Status Protocol at least every four (4) days. OCSP responses from
    this service MUST have a maximum expiration time of ten (10) days.
  * CAs that are not Technically Constrained in line with Section 7.1.5
    the OCSP responder, MUST NOT respond with a "good" status, unless
    the requested Certificate serial number has been "reserved" or
    "assigned" (see note below). The CA SHOULD monitor the OCSP
    responder for requests that are not "reserved" nor "assigned" as
    part of its security response procedures.

*Note:* A serial number is considered:

  * "reserved" if it appears within a "Precertificate" associated with
    the Issuing CA, either directly or via a "Precertificate Signing
    Certificate". The terms "Precertificate" and "Precertificate Signing
    Certificate" are described in RFC 6962.
  * "assigned" if it appears within a Subscriber Certificate associated
    with the Issuing CA.

For the status of Subordinate CA Certificates the CA SHALL update 
information provided via an Online Certificate Status Protocol at least 
(i) every twelve (12) months and (ii) within twenty-four (24 ) hours 
after revoking a Subordinate CA Certificate. "


Of course further improvements are welcome.


Dimitris.




>
> I believe this language is very difficult to understand, at least for 
> me. Perhaps we should break down these sentences defining what it 
> means for a serial number to be "reserved" or "assigned" (we don't 
> need to add in section 1.6.1) and then state the requirements. I think 
> it would be easier to read.
>
> I also think that we no longer need to differentiate between 
> Technically Constrained subCAs and unconstrained ones. They all must 
> adhere to the MUST rule since 2013-08-01.
>
> Dimitris.
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191021/a5dd368e/attachment.html>

More information about the Servercert-wg mailing list