[Servercert-wg] Ballot SC23: Precertificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Oct 23 00:10:10 MST 2019

Sure, other CAs have expressed concerns about that so ultimately I leave 
it up you to you, Rob and Wayne to decide how to proceed.

For what it's worth, we might need to examine any unintended 
consequences from this proposal, for example the fact that revoked 
Pre-certificates are not included in CRLs and adding revoked 
Pre-certificates in CRLs might increase their size, etc.


On 2019-10-23 9:53 π.μ., Jeremy Rowley wrote:
> The language you like to fix the issue with OCPS responses may depend 
> on where you think the problem originates in the BR language. If you 
> think the problem is with the OCPS language then you’ll want to amend 
> how OCSP is returned. I think the problem is with and the BRs 
> trying to define a pre-cert as not a cert.  If all of the browsers say 
> we need to treat it just like a cert, we should just define it as a 
> cert that has an overlapping serial number.  If you do that, the OCSP 
> question takes care of itself.
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf 
> Of *Jeremy Rowley via Servercert-wg
> *Sent:* Wednesday, October 23, 2019 12:49 AM
> *To:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/B Forum 
> Server Certificate WG Public Discussion List 
> <servercert-wg at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>; Kirk 
> Hall <Kirk.Hall at entrustdatacard.com>
> *Subject:* Re: [Servercert-wg] Ballot SC23: Precertificates
> You have the original:
> https://cabforum.org/pipermail/servercert-wg/2019-September/001097.html
> Which was the one endorsed by Rob and I. This one removed the concept 
> that pre-certs aren’t certs.
> *From:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr 
> <mailto:dzacharo at harica.gr>>
> *Sent:* Wednesday, October 23, 2019 12:42 AM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com 
> <mailto:jeremy.rowley at digicert.com>>; CA/B Forum Server Certificate WG 
> Public Discussion List <servercert-wg at cabforum.org 
> <mailto:servercert-wg at cabforum.org>>; Wayne Thayer 
> <wthayer at mozilla.com <mailto:wthayer at mozilla.com>>; Kirk Hall 
> <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com>>
> *Subject:* Re: [Servercert-wg] Ballot SC23: Precertificates
> We have had several iterations so I'm not sure which is the "original 
> proposal" now :-)
>   * The latest posted by Ryan is
>     https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP
>   * The latest posted by me is
>     https://cabforum.org/pipermail/servercert-wg/2019-October/001244.html
>   * The latest posted by you is
>     https://cabforum.org/pipermail/servercert-wg/2019-October/001289.html
> I think your version and Ryan's are better. My version was trying to 
> break down the long version originally posted by Ryan in 
> https://cabforum.org/pipermail/servercert-wg/2019-October/001214.html 
> and make it easier to read.
> Hope this makes sense.
> Dimitris.
> On 2019-10-23 9:18 π.μ., Jeremy Rowley via Servercert-wg wrote:
>     The amendment sounds good to me, and I like the original proposal
>     more than Dimitris language.
>     *From:* Servercert-wg <servercert-wg-bounces at cabforum.org>
>     <mailto:servercert-wg-bounces at cabforum.org> *On Behalf Of *Wayne
>     Thayer via Servercert-wg
>     *Sent:* Tuesday, October 22, 2019 7:12 PM
>     *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>
>     <mailto:Kirk.Hall at entrustdatacard.com>
>     *Cc:* CA/B Forum Server Certificate WG Public Discussion List
>     <servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org>
>     *Subject:* Re: [Servercert-wg] Ballot SC23: Precertificates
>     On Tue, Oct 22, 2019 at 6:00 PM Kirk Hall
>     <Kirk.Hall at entrustdatacard.com
>     <mailto:Kirk.Hall at entrustdatacard.com>> wrote:
>         Wayne – I failed to look closely at your proposed text on
>         Ballot SC23, and now realize you reverted to some earlier
>         language that is easier to understand – sorry I didn’t notice
>         that.
>     I'd still like to know if there is a preference for Dimitris'
>     language, but this leads me to think that I should go ahead with
>     the existing ballot.
>         There are no ballot provisions setting an Effective Date for
>         the ballot – does that mean the requirement that all CAs must
>         provide OCSP responses for pre-certificates will take effect
>         30 days after the end of the voting period?  That would be
>         problematic.
>         Bruce previously asked for the ballot to include an Effective
>         Date that is six months after completion of the IP review
>         period so that CAs can plan for and modify their systems. 
>         Would you be willing to add that to the ballot to make it more
>         widely supported?  We’ve all been doing CT for many years with
>         many CAs not providing OCSP responses on pre-certificates, and
>         there does not seem to be a crisis requiring the new provision
>         to be applied in 30 days.
>     Thanks for pointing that out. I intended to propose an effective
>     date of 1-March 2020, if Jeremy and Rob as endorsers will accept
>     this amendment?
>     _______________________________________________
>     Servercert-wg mailing list
>     Servercert-wg at cabforum.org  <mailto:Servercert-wg at cabforum.org>
>     http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191023/af7f9c1a/attachment.html>

More information about the Servercert-wg mailing list