[Servercert-wg] Discussion Period Begins on Ballot SC43: Clarify Acceptable Status Codes

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Mar 12 18:11:38 UTC 2021

On 12/3/2021 6:47 μ.μ., Ryan Sleevi wrote:
> Dimitris,
> Given the length of discussion here, are you aware of systems not yet 
> conforming? Perhaps you can speak about what concrete (rather than 
> abstract) difficulties there would be?
> That's not to say an effective date is a forgone conclusion, but I 
> think as a Forum, we're much more productive when members with 
> concrete concerns bring them forward, rather than abstracts "on behalf 
> of someone else". For example, what challenges might HARICA face? 
> Understanding that would help both make better ballots, and perhaps 
> highlight industry good practices from other CAs that HARICA could 
> adopt so that these aren't concerns in the future.

CAs need to update their validation code to allow ONLY these specific 
HTTP responses for redirects. This also needs to be applied 
consistently, including ACME implementations that may not currently 
support this configuration option. For example, I believe EJBCA does not 
have this option for their ACME server engine component.

For HARICA, it's easy to update the main RA code but we currently rely 
on EJBCA for ACME and that might cause some delays.

I hope this helps.


> On Fri, Mar 12, 2021 at 12:59 AM Dimitris Zacharopoulos via 
> Servercert-wg <servercert-wg at cabforum.org 
> <mailto:servercert-wg at cabforum.org>> wrote:
>     Shouldn't there be an effective date in this ballot so that CAs
>     have time to update their various systems to support these updated
>     requirements?
>     Software vendors might also need time to update and test their
>     software before releasing a newer version, which then needs to be
>     properly tested and installed by CAs.
>     Thanks,
>     Dimitris.
>     _______________________________________________
>     Servercert-wg mailing list
>     Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
>     https://lists.cabforum.org/mailman/listinfo/servercert-wg
>     <https://lists.cabforum.org/mailman/listinfo/servercert-wg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210312/245c444c/attachment.html>

More information about the Servercert-wg mailing list