[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Oct 22 23:22:24 MST 2019

On 2019-10-23 9:15 π.μ., Jeremy Rowley via Servercert-wg wrote:
> Here’s my feedback on the language from Dimitris. To be honest, I’d 
> rather just correct the mistake the CAB Forum made and clarify that a 
> pre-cert is really just a cert and should be treated just like a cert 
> minus the duplicate serial number. That’s a much simpler fix. However, 
> since people seem to have heartburn over that, I guess this language 
> could work:
> I don’t really like the “Note” language. It’s not a note since it 
> contains actual requirements. Also defined terms should be in the 
> defined terms section.
> "For the status of Subscriber and CA Certificates issued in accordance
> with these Requirements the CA SHALL support OCSP responses using the
> GET method.
> For the status of Subscriber Certificates:
>   * The CA SHALL update information provided via an Online Certificate
>     Status Protocol at least every four (4) days. OCSP responses from
>     this service MUST have a maximum expiration time of ten (10) days.
>   * CAs that are not Technically Constrained in line with Section 7.1.5
>     the OCSP responder, MUST NOT respond with a "good" status, unless
>     the requested Certificate serial number has been "reserved" or
>     "assigned" (see note below). The CA SHOULD monitor the OCSP
>     responder for requests that are not "reserved" nor "assigned" as
>     part of its security response procedures.
> A serial number is considered "reserved" if the serial number is 
> included as a serial number in a Precertificate chaining to an Issuing 
> CA, either directly or via a Precertificate Signing Certificate.
> A serial number is considered "assigned" if the serial number is 
> included as a serial number in a Subscriber Certificate chaining to an 
> Issuing CA.
> For the status of Subordinate CA Certificates the CA SHALL update
> information provided via an Online Certificate Status Protocol at least
> (i) every twelve (12) months and (ii) within twenty-four (24 ) hours
> after revoking a Subordinate CA Certificate. "
> Add to the defined terms:
> Precertificate has the meaning defined in RFC 6962.
> Precertificate Signing Certificate has the meaning defined in RFC 6962.
> I added the language about the serial number needing to be the serial 
> number of the cert in case there’s some weird situation where someone 
> puts something in some other field (why? I don’t know, but we’ve 
> definitely seen weirder things happen).

Thanks for the improvements.

You think this might get confused with the serialNumber (OID: 
subjectDN field? I can't think of anyone reading "Certificate serial 
number" to confuse it with the subjectDN:serialNumber field, but you 
never know :-)


> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf 
> Of *Ryan Sleevi via Servercert-wg
> *Sent:* Tuesday, October 22, 2019 5:57 PM
> *To:* Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates
> On Tue, Oct 22, 2019 at 7:44 PM Wayne Thayer via Servercert-wg 
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote:
>     I'm posting v2 of this ballot because without it the discussion
>     period will expire and the ballot will fail. V2 adds language
>     required to prevent conflicts with ballot SC24, but does not
>     otherwise change the proposal.
>     It's not clear to me how to proceed with this. It seems that the
>     endorsers are happy with the current ballot, but others want to
>     limit the change to section 4.9.10. So far, no one has proposed
>     specific language that both accounts for all of the nuances of
>     this issue and is considered to be easily understood. Unless
>     specific alternative proposals are made, I'm inclined to proceed
>     to a vote on the current proposal.
> Wayne: Dimitris' change works for me in only tackling the half that 
> CAs were most concerned about.
> Rob, Jeremy: Could you check if 
> https://cabforum.org/pipermail/servercert-wg/2019-October/001244.html addresses 
> the immediate concerns raised?
> My only concern is whether the "as described in RFC 6962" would be 
> seen as Default-Allow or "Default-Deny". For example, could a CA argue 
> a serial number is associated with a Precertificate that doesn't 
> comply with RFC 6962 is fine? That'd be nonsense, but I'd hate to see 
> that argument made.
> I'm not sure if "as specified in RFC 6962" is any more restrictive 
> against that interpretation. A more restrictive requirement would say 
> "The Precertificate, and, if used, the Precertificate Signing 
> Certificate, MUST comply with the requirements defined in RFC 6962.", 
> but then that's awkward as "Note", if someone wanted to argue that 
> "Note's aren't requirements" (despite the MUST).
> There are other gotchas, worth identifying but not worth fixing (for 
> example: what if the Precertificate was for a sub-CA? What about 
> returning "good" for non-issued certificates from a Root CA?). The 
> 'intent' is, I believe, that Subscriber Certificates and Subordinate 
> Certificates differ in the timeline, but all OCSP responders have the 
> same expectation. But that's for a different Ballot.
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191023/ee194d0c/attachment-0001.html>

More information about the Servercert-wg mailing list