[Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”

Corey Bonnell Corey.Bonnell at digicert.com
Thu Apr 27 18:58:32 UTC 2023


Hi Aaron,

*	2. The prohibition on "indirect CRLs".

 

Every CA certificate in the WebPKI MUST assert the cRLSign key usage bit, so that CA is also a CRL issuer (RFC 5280, section 4.1.2.6 says “If the subject is a CRL issuer (e.g., the key usage extension, as discussed in Section 4.2.1.3, is present and the value of cRLSign is TRUE)”). Additionally, I don’t believe there’s currently any mechanism in use in the WebPKI to distribute CRL issuer certificates, so I thought it would be reasonable to propose explicitly prohibiting indirect CRLs (why allow something that cannot be consumed by commonly used RP software?).

 

*	But Let's Encrypt has been considering the possibility of using delegated signers in order to keep separate sets of issuing intermediates in each secure site, but still have every site capable of providing revocation information on behalf of all issuing intermediates.

 

Would the root CA issue a CRL issuer certificate to issue CRLs on behalf of one or more intermediate CAs? Trying to envision how this would work without having to fetch a bunch of certificates to validate the CRL back to a trust anchor.

 

Thanks,

Corey

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Aaron Gable via Servercert-wg
Sent: Thursday, April 27, 2023 1:58 PM
To: Ryan Dickson <ryandickson at google.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”

 

Hi Ryan,

 

Thanks so much for pushing this ballot forward. I'm looking forward to this set of changes.

 

I've left a few editorial comments on the GitHub PR itself (https://github.com/cabforum/servercert/pull/414 <https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/pull/414___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OjY5ZjM6ZjRhNGQ2MTliM2E2Yzc0MmI0ZmE5NGVjZWUxMDY3ZDkyY2Q5NDhiMTU5Nzg0Njc5ZDUxZGY4NzYxNzIwOGM3ODpoOkY> ), but I figured for my more substantive discussion items, it would be better to do those on-list.

 

1. What does it mean to "support on-line revocation checking via OCSP"?

 

In particular, what if a given certificate does not contain an OCSP URL, but someone could manually construct an OCSP request for that certificate to the CA's *previous* OCSP URL, and get a response -- does that count as "support"? This is relevant due to the need to transition from supporting OCSP to not supporting OCSP. A CA cannot simply stop including OCSP URLs in their certs and turn off their OCSP service at the same time; the service needs to continue running until after the last cert with its URL embedded expires. If that service were incidentally capable of providing OCSP responses even for certificates that do not embed its URL, what requirements would apply to it?

 

2. The prohibition on "indirect CRLs".

 

While I totally agree that we should not have CA Foo issuing CRLs which cover certificates issued by CA Bar, the prohibition on indirect CRLs seems to have a negative side-effect: it means that CAs cannot use "delegated CRL issuers". This may not be a real loss; I believe that CAs have generally found that Delegated OCSP Signers cause more trouble than they're worth, and the same is likely true for Delegated CRL Issuers. But Let's Encrypt has been considering the possibility of using delegated signers in order to keep separate sets of issuing intermediates in each secure site, but still have every site capable of providing revocation information on behalf of all issuing intermediates.

 

I don't recall discussing this particular provision in previous discussion (and I can't find it in minutes for meetings I missed), so can we hear a little bit more about the motivations behind this requirement?

 

3. Required inclusion of CRL Distribution Point URLs.

 

In this morning's meeting, we discussed the potential costs of requiring CAs to update their CRLs daily. Let's Encrypt already re-issued our CRLs every few hours, so this does not concern me.

 

However, those CRLs are only discoverable via CCADB. No HTTP client or meddling router can download them, because they simply aren't aware that they exist. As soon as the CRL URLs are included directly in end-entity certificates, I'm certain that a number of certificate consumers will begin executing old codepaths and downloading them directly.

 

During normal operation, Let's Encrypt's CRLs total to (order-of-magnitude) 50MB every issuance cycle. They're updated once every few hours, and downloaded on a similar cadence. That's trivially sustainable, and significantly cheaper than serving OCSP. But if hundreds of thousands of clients begin downloading those CRLs directly, it's going to be a very different story.

 

So I'd love to hear from other CAs a) how many certificates you have which embed a CRLDP, and b) how many requests-per-second you receive for that CRLDP as a result.

 

Thanks again!

Aaron

 

 

On Thu, Apr 27, 2023 at 6:30 AM Ryan Dickson via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

Purpose of Ballot SC-063:

This Ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates related to making Online Certificate Status Protocol (OCSP) services optional for CAs. This proposal does not prohibit or otherwise restrict CAs who choose to continue supporting OCSP from doing so. If CAs continue supporting OCSP, the same requirements apply as they exist today.

 

Additionally, this proposal introduces changes related to CRL requirements to include:

*	Establishing a detailed CRL profile, consistent with the certificate profiles introduced in Version 2.0.0 of the Baseline Requirements.
*	CAs MUST generate and publish either:

*	a full and complete CRL; OR 
*	partitioned CRLs (sometimes called “sharded” CRLs), that when aggregated, represent the equivalent of a full and complete CRL.

*	CAs MUST include the corresponding HTTP URI for either the full and complete or partitioned/sharded CRL in the CRL Distribution Point extension of subscriber certificates.
*	CRLs MUST be updated and reissued once daily.

 

Finally, the proposal revisits the concept of a “short-lived” certificate, introduced in  <https://url.avanan.click/v2/___https:/cabforum.org/2015/11/11/ballot-153-short-lived-certificates/___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OjNkY2E6NTA1ZDMwMDhkODI4ZTFmMGQ0OTU5NGRhMmRmYjI5ODNmMjk2Yzc0N2JiYWY4MWI2YTk1MDkxNjBmNmFlOTQ1MzpoOkY> Ballot 153. As described in this ballot, short-lived certificates (sometimes called “short-term certificates” in ETSI  <https://url.avanan.click/v2/___https:/www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OmQ3Mzc6MzA0ODNmMWMwMzk4NTUyOGIxMGMzNjFhNGEzOGE0Njg3MThjMjI0MzRiY2I3NDY3MWZmZmM4ZGYyZjdmNTM1YTpoOkY> specifications) are:

*	optional. CAs will not be required to issue short-lived certificates. For TLS certificates that do not meet the definition of a short-lived certificate introduced in this proposed update, the current maximum validity period of 398 days remains applicable. 
*	constrained to an initial maximum validity period of ten (10) days. The proposal stipulates that short-lived certificates issued on or after 15 March 2026 must not have a Validity Period greater than seven (7) days.
*	not required to contain a CRLDP or OCSP pointer and are not required to be revoked. The primary mechanism of certificate invalidation for these short-lived certificates would be through certificate expiry. CAs may optionally revoke short-lived certificates. The initial maximum certificate validity is aligned with the existing maximum values for CRL “nextUpdate” and OCSP response validity allowed by the BRs today. 

 

Additional background, justification, and considerations are outlined  <https://url.avanan.click/v2/___https:/docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OjUzMTU6NmNmOTdmMjBjNjZlYmQ4NzI0OTQzZGUxZWM2ZGQ1YTQ4NGM5YzI4M2M3ZGI0ODQzYWNjN2ZhMzJkNmEyNzQ3ZjpoOkY> here.

 

The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by Kiran Tummala of Microsoft and Tim Callan of Sectigo.

 

— Motion Begins —

 

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.

 

MODIFY the Baseline Requirements as specified in the following Redline: 

https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9 <https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OmJhY2Y6MjFhY2ZkNWE1ZjQ3OTAyMjIyM2ZjNTUzZjI4MjY0YTA2NjliY2Y3ZDQxMjdmOTVkZjFhMzVlNzI5YTY0MmNiMDpoOkY>  

 

— Motion Ends —

 

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

 

Discussion (14+ days)

*        Start time: 2023-04-27 13:30:00 UTC

*        End time: Not before 2023-05-11 13:30:00 UTC

 

Vote for approval (7 days)

*        Start time: TBD

*        End time: TBD

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/servercert-wg <https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/servercert-wg___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OmY0MDk6MTIwZDdhNjU5Y2FiNTEzZjFiYmVmM2NkZDlmMzA0ZTU0OGNiYjdkNDAzMzE2NmUzYzMzMjMwOGM1MWE5MDAxZDpoOkY> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230427/52035345/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230427/52035345/attachment-0001.p7s>


More information about the Servercert-wg mailing list