[Servercert-wg] Discussion Period Begins on Ballot SC43: Clarify Acceptable Status Codes

Niko Carpenter NCarpenter at securetrust.com
Fri Mar 12 21:41:10 UTC 2021


We were thinking a three month window, IE an effective date of July 1, would be reasonable. If there are CAs that require more time to implement changes in order to comply with this new requirement, please provide a date that would work for you.

Niko Carpenter
Software Engineer

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org>
Date: Friday, March 12, 2021 at 13:32
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Discussion Period Begins on Ballot SC43: Clarify Acceptable Status Codes


On Fri, Mar 12, 2021 at 1:11 PM Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>> wrote:

On 12/3/2021 6:47 μ.μ., Ryan Sleevi wrote:
Dimitris,

Given the length of discussion here, are you aware of systems not yet conforming? Perhaps you can speak about what concrete (rather than abstract) difficulties there would be?

That's not to say an effective date is a forgone conclusion, but I think as a Forum, we're much more productive when members with concrete concerns bring them forward, rather than abstracts "on behalf of someone else". For example, what challenges might HARICA face? Understanding that would help both make better ballots, and perhaps highlight industry good practices from other CAs that HARICA could adopt so that these aren't concerns in the future.

CAs need to update their validation code to allow ONLY these specific HTTP responses for redirects. This also needs to be applied consistently, including ACME implementations that may not currently support this configuration option. For example, I believe EJBCA does not have this option for their ACME server engine component.

For HARICA, it's easy to update the main RA code but we currently rely on EJBCA for ACME and that might cause some delays.

I hope this helps.

Yup! Makes total sense now :)
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210312/ae0d418c/attachment.html>


More information about the Servercert-wg mailing list