[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Oct 24 12:17:41 MST 2019

On 2019-10-24 9:51 μ.μ., Ryan Sleevi via Servercert-wg wrote:
> [...]
>     I am still having hard time reading and understanding:
>     "If the OCSP responder receives an OCSP request but has no record
>     of ever having issued any certificate with the certificate serial
>     number in that request, using any current or previous issuing key
>     for the CA subject, then the responder SHOULD NOT respond with a
>     "good" status. OCSP responders for CAs that are not Technically
>     Constrained in line with Section 7.1.5 MUST NOT respond with a
>     "good" status for such certificates. The CA SHOULD monitor the
>     responder for such requests as part of its security response
>     procedures."
> This is why I carefully worded it, in 
> https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP, 
> to avoid this confusion. My proposal does not have that language, in 
> order to address the concerns you raised.

Thanks Ryan, I must have been confused with another proposal. This 
included in your pull request is much easier to read.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/ffae4a26/attachment.html>

More information about the Servercert-wg mailing list