[Servercert-wg] Voting Period Begins - Ballot SC-063 V4: “Make OCSP Optional, Require CRLs, and Incentivize Automation”

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Jul 7 08:58:29 UTC 2023


HARICA votes "yes" to ballot SC-063.

On 6/7/2023 6:59 μ.μ., Ryan Dickson via Servercert-wg wrote:
>
> Purpose of Ballot SC-063
>
> This Ballot proposes updates to the Baseline Requirements for the 
> Issuance and Management of Publicly-Trusted Certificatesrelated to 
> making Online Certificate Status Protocol (OCSP) services optionalfor 
> CAs. This proposal does notprohibit or otherwise restrict CAs who 
> choose to continue supporting OCSP from doing so. If CAs continue 
> supporting OCSP, the samerequirements apply as they exist today.
>
>
> Additionally, this proposal introduces changes related to CRL 
> requirements including:
>
>  *
>
>     CRLs must conform with the proposed profile.
>
>  *
>
>     CAs must generate and publish either:
>
>      o
>
>         a full and complete, or
>
>      o
>
>         a set of partitioned CRLs (sometimes called “sharded” CRLs),
>         that when aggregated, represent the equivalent of a full and
>         complete CRL.
>
>  *
>
>     CAs issuing Subscriber Certificates must update and publish a new CRL…
>
>      o
>
>         within twenty-four (24) hours after recording a Certificate as
>         revoked; and
>
>      o
>
>         Otherwise:
>
>          +
>
>             at least every seven (7) days if all Certificates include
>             an Authority Information Access extension with an
>             id-ad-ocsp accessMethod (“AIA OCSP pointer”), or
>
>          +
>
>             at least every four (4) days in all other cases.
>
>
> Finally, the proposal revisits the concept of a “short-lived” 
> certificate, introduced in Ballot 153 
> <https://cabforum.org/2015/11/11/ballot-153-short-lived-certificates/>. 
> As described in this ballot, short-lived certificates (sometimes 
> called “short-term certificates” in ETSI specifications 
> <https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf>) 
> are:
>
>  *
>
>     optional. CAs will notbe required to issue short-lived
>     certificates. For TLS certificates that do not meet the definition
>     of a short-lived certificate introduced in this proposed update,
>     the current maximum validity period of 398 days remains applicable.
>
>  *
>
>     constrained to an initial maximum validity period of ten (10)
>     days.The proposal stipulates that short-lived certificates issued
>     on or after 15 March 2026 must not have a Validity Period greater
>     than seven (7) days.
>
>  *
>
>     not required to contain a CRLDP or OCSP pointer and are not
>     required to be revoked. The primary mechanism of certificate
>     invalidation for these short-lived certificates would be through
>     certificate expiry. CAs may optionallyrevoke short-lived
>     certificates. The initial maximum certificate validity is aligned
>     with the existing maximum values for CRL “nextUpdate” and OCSP
>     response validity allowed by the BRs today.
>
>
> Additional background, justification, and considerations are outlined 
> here 
> <https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit>.
>
>
> Proposal Revision History:
>
>  *
>
>     The set of updates resulting from the first round of discussion
>     are presentedhere
>     <https://github.com/ryancdickson/staging/pull/3/files>.
>
>  *
>
>     The set of updates resulting from the second round of discussion
>     are presented here
>     <https://github.com/ryancdickson/staging/pull/5/files>.
>
>  *
>
>     The set of updates resulting from the third round of discussion
>     are presented here
>     <https://github.com/ryancdickson/staging/pull/7/files>.
>
>
> The following motion has been proposed by Ryan Dickson and Chris 
> Clements of Google (Chrome Root Program) and endorsed by Kiran 
> Tummalaof Microsoft and Tim Callanof Sectigo.
>
>
>
> — Motion Begins —
>
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” (“Baseline 
> Requirements”), based on Version 2.0.0.
>
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
> https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..b8a0453e59ff342779d5083f2f1f8b8b5930a66a 
> <https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..b8a0453e59ff342779d5083f2f1f8b8b5930a66a>
>
>
>
> — Motion Ends —
>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for 
> approval of this ballot is as follows:
>
>
> Discussion (13+ days)
>
>  *
>
>     Start time: 2023-06-22 20:30:00 UTC
>
>  *
>
>     End time: 2023-07-06 15:59:59 UTC
>
>
> Vote for approval (7 days)
>
>  *
>
>     Start time: 2023-07-06 16:00:00 UTC
>
>  *
>
>     End time: 2023-07-13 16:00:00 UTC
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230707/caf6ecbd/attachment-0001.html>


More information about the Servercert-wg mailing list