[Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”

Aaron Gable aaron at letsencrypt.org
Thu Apr 27 17:57:18 UTC 2023 

Hi Ryan,

Thanks so much for pushing this ballot forward. I'm looking forward to this
set of changes.

I've left a few editorial comments on the GitHub PR itself (
https://github.com/cabforum/servercert/pull/414), but I figured for my more
substantive discussion items, it would be better to do those on-list.

1. What does it mean to "support on-line revocation checking via OCSP"?

In particular, what if a given certificate does not contain an OCSP URL,
but someone could manually construct an OCSP request for that certificate
to the CA's *previous* OCSP URL, and get a response -- does that count as
"support"? This is relevant due to the need to transition from supporting
OCSP to not supporting OCSP. A CA cannot simply stop including OCSP URLs in
their certs and turn off their OCSP service at the same time; the service
needs to continue running until after the last cert with its URL embedded
expires. If that service were incidentally capable of providing OCSP
responses even for certificates that do not embed its URL, what
requirements would apply to it?

2. The prohibition on "indirect CRLs".

While I totally agree that we should not have CA Foo issuing CRLs which
cover certificates issued by CA Bar, the prohibition on indirect CRLs seems
to have a negative side-effect: it means that CAs cannot use "delegated CRL
issuers". This may not be a real loss; I believe that CAs have generally
found that Delegated OCSP Signers cause more trouble than they're worth,
and the same is likely true for Delegated CRL Issuers. But Let's Encrypt
has been considering the possibility of using delegated signers in order to
keep separate sets of issuing intermediates in each secure site, but still
have every site capable of providing revocation information on behalf of
all issuing intermediates.

I don't recall discussing this particular provision in previous discussion
(and I can't find it in minutes for meetings I missed), so can we hear a
little bit more about the motivations behind this requirement?

3. Required inclusion of CRL Distribution Point URLs.

In this morning's meeting, we discussed the potential costs of requiring
CAs to update their CRLs daily. Let's Encrypt already re-issued our CRLs
every few hours, so this does not concern me.

However, those CRLs are only discoverable via CCADB. No HTTP client or
meddling router can download them, because they simply aren't aware that
they exist. As soon as the CRL URLs are included directly in end-entity
certificates, I'm certain that a number of certificate consumers will begin
executing old codepaths and downloading them directly.

During normal operation, Let's Encrypt's CRLs total to (order-of-magnitude)
50MB every issuance cycle. They're updated once every few hours, and
downloaded on a similar cadence. That's trivially sustainable, and
significantly cheaper than serving OCSP. But if hundreds of thousands of
clients begin downloading those CRLs directly, it's going to be a very
different story.

So I'd love to hear from other CAs a) how many certificates you have which
embed a CRLDP, and b) how many requests-per-second you receive for that
CRLDP as a result.

Thanks again!
Aaron


On Thu, Apr 27, 2023 at 6:30 AM Ryan Dickson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Purpose of Ballot SC-063:
>
> This Ballot proposes updates to the Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates related to
> making Online Certificate Status Protocol (OCSP) services optional for
> CAs. This proposal does not prohibit or otherwise restrict CAs who choose
> to continue supporting OCSP from doing so. If CAs continue supporting OCSP,
> the same requirements apply as they exist today.
>
>
> Additionally, this proposal introduces changes related to CRL requirements
> to include:
>
>    -
>
>    Establishing a detailed CRL profile, consistent with the certificate
>    profiles introduced in Version 2.0.0 of the Baseline Requirements.
>    -
>
>    CAs MUST generate and publish either:
>    -
>
>       a full and complete CRL; OR
>       -
>
>       partitioned CRLs (sometimes called “sharded” CRLs), that when
>       aggregated, represent the equivalent of a full and complete CRL.
>       -
>
>    CAs MUST include the corresponding HTTP URI for either the full and
>    complete or partitioned/sharded CRL in the CRL Distribution Point
>    extension of subscriber certificates.
>    -
>
>    CRLs MUST be updated and reissued once daily.
>
>
> Finally, the proposal revisits the concept of a “short-lived” certificate,
> introduced in Ballot 153
> <https://cabforum.org/2015/11/11/ballot-153-short-lived-certificates/>. As
> described in this ballot, short-lived certificates (sometimes called
> “short-term certificates” in ETSI specifications
> <https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf>)
> are:
>
>    - optional. CAs will not be required to issue short-lived
>    certificates. For TLS certificates that do not meet the definition of a
>    short-lived certificate introduced in this proposed update, the current
>    maximum validity period of 398 days remains applicable.
>    - *constrained to an initial maximum validity period of ten (10) days.*
>    The proposal stipulates that short-lived certificates issued on or after 15
>    March 2026 must not have a Validity Period greater than seven (7) days.
>    - not required to contain a CRLDP or OCSP pointer and are not required
>    to be revoked. The primary mechanism of certificate invalidation for
>    these short-lived certificates would be through certificate expiry. CAs may
>    optionally revoke short-lived certificates. The initial maximum
>    certificate validity is aligned with the existing maximum values for CRL
>    “nextUpdate” and OCSP response validity allowed by the BRs today.
>
>
> Additional background, justification, and considerations are outlined here
> <https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit>
> .
>
>
>
> The following motion has been proposed by Ryan Dickson and Chris Clements
> of Google (Chrome Root Program) and endorsed by Kiran Tummala of
> Microsoft and Tim Callan of Sectigo.
>
>
> — Motion Begins —
>
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.0.
>
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
>
> https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9
>
>
>
> — Motion Ends —
>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
>
> Discussion (14+ days)
>
>    -
>
>    Start time: 2023-04-27 13:30:00 UTC
>    -
>
>    End time: Not before 2023-05-11 13:30:00 UTC
>
>
> Vote for approval (7 days)
>
>
>    -
>
>    Start time: TBD
>    -
>
>    End time: TBD
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230427/abe11f51/attachment-0001.html>

More information about the Servercert-wg mailing list