[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Oct 24 12:17:41 MST 2019
On 2019-10-24 9:51 μ.μ., Ryan Sleevi via Servercert-wg wrote:
> [...]
>
> I am still having hard time reading and understanding:
>
> "If the OCSP responder receives an OCSP request but has no record
> of ever having issued any certificate with the certificate serial
> number in that request, using any current or previous issuing key
> for the CA subject, then the responder SHOULD NOT respond with a
> "good" status. OCSP responders for CAs that are not Technically
> Constrained in line with Section 7.1.5 MUST NOT respond with a
> "good" status for such certificates. The CA SHOULD monitor the
> responder for such requests as part of its security response
> procedures."
>
>
> This is why I carefully worded it, in
> https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP,
> to avoid this confusion. My proposal does not have that language, in
> order to address the concerns you raised.
>
Thanks Ryan, I must have been confused with another proposal. This
commit
(https://github.com/cabforum/documents/commit/b7befa3eb0bbc0a5c7ada493267ce59a041a486c)
included in your pull request is much easier to read.
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/ffae4a26/attachment.html>
More information about the Servercert-wg
mailing list