[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Rob Stradling rob at sectigo.com
Wed Oct 23 05:40:07 MST 2019 

On 23/10/2019 03:28, Ryan Sleevi via Servercert-wg wrote:
<snip>
>     Rob, Jeremy: Could you check if
>     https://cabforum.org/pipermail/servercert-wg/2019-October/001244.html addresses
>     the immediate concerns raised?
> 
> 
> More concretely: 
> https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP
> 
> This isn't identical to what Dimitris proposed, to try to close the gaps 
> identified. It tries to use terms that are unused by RFC 5019/6960 - 
> such as "unused" - to avoid confusion with "unknown".
> 
> It's not perfect, but I'm curious if that gets closer to a minimal and 
> clear change.

Hi Ryan.  (tl;dr Thanks for this alternative proposal; I think it could 
be made to work).

OCSP operates on "certificates (cf. RFC5280, Section 3.3)" (see RFC6960 
section 2).

Your alternative proposal retains the
   'For the status of Subscriber Certificates...The CA SHALL update
    information provided via...OCSP'
language in section 4.9.10, but a Precertificate cannot be a Subscriber 
Certificate because you also retain the
   '...a Precertificate...shall not be considered to be a "certificate"
    subject to the requirements of RFC 5280'
language in section 7.1.2.5.

I don't see any requirement in (the current wording of) your alternative 
proposal, stated either directly or indirectly, that has the meaning 
"CAs MUST operate OCSP services for serial numbers that have been 
included in Precertificates".  (The '"SHOULD NOT / MUST NOT respond with 
a "good" status' requirements don't imply a "MUST operate OCSP services" 
requirement).

Therefore, if we're expected to read the BRs with a "Default Deny" 
mindset, ISTM that (the current wording of) your alternative proposal 
effectively requires that CAs *MUST NOT* operate OCSP services for (to 
use your term) "reserved" serial numbers.

ISTM that this problem/loophole can only be addressed by either:
(1) Scrapping the 7.1.2.5 language, so that Precertificates are 
considered to be certificates (as per Wayne's draft ballot).
or
(2) Somehow extending OCSP to also be usable for "reserved" serial 
numbers, and requiring CAs to provide OCSP status for "reserved" serial 
numbers.

I think drafting an RFC6960-bis to achieve (2) would be a non-starter, 
because I expect the IETF community would (quite rightly IMHO) take the 
view that RFC6962 Precertificates are in fact certificates!  So...

Maybe 7.1.2.5 could be updated to say that Precertificates aren't 
considered "certificates" per RFC5280 but *are* considered 
"certificates" per RFC6960?  Seems a bit messy, but I don't know how 
else to achieve (2).

Also, might I suggest that (in 4.9.10)
   'For the status of Subscriber Certificates:'
be changed to
   'For the status of Subscriber Certificates and Precertificates:'
?

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

More information about the Servercert-wg mailing list