[Servercert-wg] Discussion Period Begins on Ballot SC43: Clarify Acceptable Status Codes
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Mar 12 18:11:38 UTC 2021
On 12/3/2021 6:47 μ.μ., Ryan Sleevi wrote:
> Given the length of discussion here, are you aware of systems not yet
> conforming? Perhaps you can speak about what concrete (rather than
> abstract) difficulties there would be?
> That's not to say an effective date is a forgone conclusion, but I
> think as a Forum, we're much more productive when members with
> concrete concerns bring them forward, rather than abstracts "on behalf
> of someone else". For example, what challenges might HARICA face?
> Understanding that would help both make better ballots, and perhaps
> highlight industry good practices from other CAs that HARICA could
> adopt so that these aren't concerns in the future.
CAs need to update their validation code to allow ONLY these specific
HTTP responses for redirects. This also needs to be applied
consistently, including ACME implementations that may not currently
support this configuration option. For example, I believe EJBCA does not
have this option for their ACME server engine component.
For HARICA, it's easy to update the main RA code but we currently rely
on EJBCA for ACME and that might cause some delays.
I hope this helps.
> On Fri, Mar 12, 2021 at 12:59 AM Dimitris Zacharopoulos via
> Servercert-wg <servercert-wg at cabforum.org
> <mailto:servercert-wg at cabforum.org>> wrote:
> Shouldn't there be an effective date in this ballot so that CAs
> have time to update their various systems to support these updated
> Software vendors might also need time to update and test their
> software before releasing a newer version, which then needs to be
> properly tested and installed by CAs.
> Servercert-wg mailing list
> Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Servercert-wg