[Servercert-wg] Ballot SC23: Precertificates

Jeremy Rowley jeremy.rowley at digicert.com
Tue Oct 22 23:53:50 MST 2019

The language you like to fix the issue with OCPS responses may depend on where you think the problem originates in the BR language. If you think the problem is with the OCPS language then you’ll want to amend how OCSP is returned. I think the problem is with and the BRs trying to define a pre-cert as not a cert.  If all of the browsers say we need to treat it just like a cert, we should just define it as a cert that has an overlapping serial number.  If you do that, the OCSP question takes care of itself.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Jeremy Rowley via Servercert-wg
Sent: Wednesday, October 23, 2019 12:49 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [Servercert-wg] Ballot SC23: Precertificates

You have the original:

Which was the one endorsed by Rob and I. This one removed the concept that pre-certs aren’t certs.

From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>
Sent: Wednesday, October 23, 2019 12:42 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>; Wayne Thayer <wthayer at mozilla.com<mailto:wthayer at mozilla.com>>; Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>
Subject: Re: [Servercert-wg] Ballot SC23: Precertificates

We have had several iterations so I'm not sure which is the "original proposal" now :-)

  *   The latest posted by Ryan is https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP
  *   The latest posted by me is https://cabforum.org/pipermail/servercert-wg/2019-October/001244.html
  *   The latest posted by you is https://cabforum.org/pipermail/servercert-wg/2019-October/001289.html
I think your version and Ryan's are better. My version was trying to break down the long version originally posted by Ryan in https://cabforum.org/pipermail/servercert-wg/2019-October/001214.html and make it easier to read.

Hope this makes sense.

On 2019-10-23 9:18 π.μ., Jeremy Rowley via Servercert-wg wrote:
The amendment sounds good to me, and I like the original proposal more than Dimitris language.

From: Servercert-wg <servercert-wg-bounces at cabforum.org><mailto:servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Tuesday, October 22, 2019 7:12 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com><mailto:Kirk.Hall at entrustdatacard.com>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org><mailto:servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Ballot SC23: Precertificates

On Tue, Oct 22, 2019 at 6:00 PM Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
Wayne – I failed to look closely at your proposed text on Ballot SC23, and now realize you reverted to some earlier language that is easier to understand – sorry I didn’t notice that.

I'd still like to know if there is a preference for Dimitris' language, but this leads me to think that I should go ahead with the existing ballot.

There are no ballot provisions setting an Effective Date for the ballot – does that mean the requirement that all CAs must provide OCSP responses for pre-certificates will take effect 30 days after the end of the voting period?  That would be problematic.

Bruce previously asked for the ballot to include an Effective Date that is six months after completion of the IP review period so that CAs can plan for and modify their systems.  Would you be willing to add that to the ballot to make it more widely supported?  We’ve all been doing CT for many years with many CAs not providing OCSP responses on pre-certificates, and there does not seem to be a crisis requiring the new provision to be applied in 30 days.

Thanks for pointing that out. I intended to propose an effective date of 1-March 2020, if Jeremy and Rob as endorsers will accept this amendment?


Servercert-wg mailing list

Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191023/623b6b26/attachment-0001.html>

More information about the Servercert-wg mailing list