[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Ryan Sleevi sleevi at google.com
Wed Oct 23 07:20:52 MST 2019

On Wed, Oct 23, 2019 at 8:40 AM Rob Stradling <rob at sectigo.com> wrote:

> On 23/10/2019 03:28, Ryan Sleevi via Servercert-wg wrote:
> <snip>
> >     Rob, Jeremy: Could you check if
> >
> https://cabforum.org/pipermail/servercert-wg/2019-October/001244.html
>  addresses
> >     the immediate concerns raised?
> >
> >
> > More concretely:
> >
> https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP
> >
> > This isn't identical to what Dimitris proposed, to try to close the gaps
> > identified. It tries to use terms that are unused by RFC 5019/6960 -
> > such as "unused" - to avoid confusion with "unknown".
> >
> > It's not perfect, but I'm curious if that gets closer to a minimal and
> > clear change.
> Hi Ryan.  (tl;dr Thanks for this alternative proposal; I think it could
> be made to work).
> OCSP operates on "certificates (cf. RFC5280, Section 3.3)" (see RFC6960
> section 2).
> Your alternative proposal retains the
>    'For the status of Subscriber Certificates...The CA SHALL update
>     information provided via...OCSP'
> language in section 4.9.10, but a Precertificate cannot be a Subscriber
> Certificate because you also retain the
>    '...a Precertificate...shall not be considered to be a "certificate"
>     subject to the requirements of RFC 5280'
> language in section
> I don't see any requirement in (the current wording of) your alternative
> proposal, stated either directly or indirectly, that has the meaning
> "CAs MUST operate OCSP services for serial numbers that have been
> included in Precertificates".  (The '"SHOULD NOT / MUST NOT respond with
> a "good" status' requirements don't imply a "MUST operate OCSP services"
> requirement).

That was intentional, to address the concerns raised by Bruce; that is,
this was to avoid introducing a normative requirement that CAs MUST provide
such information for Precertificates, and allow that to be addressed via
policy, as Wayne originally proposed, while we look to separately discuss
and ballot a more systemic fix that might require more discussion.

That is, I was trying to get the "quick fix" now so we could bash out the
"best fix" separately.

> Therefore, if we're expected to read the BRs with a "Default Deny"
> mindset, ISTM that (the current wording of) your alternative proposal
> effectively requires that CAs *MUST NOT* operate OCSP services for (to
> use your term) "reserved" serial numbers.

This is a great catch!

ISTM that the simple addition of:

"The CA MAY provide definitive status information for "reserved"
certificate serial numbers, as if there was a corresponding Certificate
that matches the Precertificate [RFC6962]."

Might address the concern of "can they", and then separately a question of
must they is addressed via the policy, while the BRs look for a more
systemic fix for the intersection of Ballot 134.

WDYT? I put that as a PR at
make the proposed language clearer, while you can see the overall set of
changes at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191023/232706fa/attachment.html>

More information about the Servercert-wg mailing list