[Servercert-wg] [EXTERNAL]- Voting Period Begins - Ballot SC-063 V4: “Make OCSP Optional, Require CRLs, and Incentivize Automation”

Pedro FUENTES pfuentes at WISEKEY.COM
Fri Jul 7 09:01:39 UTC 2023


OISTE votes YES to SC-063

> On 6 Jul 2023, at 17:59, Ryan Dickson via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> Purpose of Ballot SC-063
> This Ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates related to making Online Certificate Status Protocol (OCSP) services optional for CAs. This proposal does not prohibit or otherwise restrict CAs who choose to continue supporting OCSP from doing so. If CAs continue supporting OCSP, the same requirements apply as they exist today.
> 
> Additionally, this proposal introduces changes related to CRL requirements including:
> 
> 
> CRLs must conform with the proposed profile.
> 
> 
> CAs must generate and publish either:
> 
> 
> a full and complete, or 
> 
> 
> a set of partitioned CRLs (sometimes called “sharded” CRLs), that when aggregated, represent the equivalent
>  of a full and complete CRL.
> 
> 
> CAs issuing Subscriber Certificates must update and publish a new CRL…
> 
> 
> within twenty-four (24) hours after recording a Certificate as revoked; and 
> 
> 
> Otherwise: 
> 
> 
> at least every seven (7) days if all Certificates include an Authority Information Access extension
>  with an id-ad-ocsp accessMethod (“AIA OCSP pointer”), or
> 
> 
> at least every four (4) days in all other cases.
> 
> 
> Finally, the proposal revisits the concept of a “short-lived” certificate, introduced in Ballot 153 <https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_2015_11_11_ballot-2D153-2Dshort-2Dlived-2Dcertificates_&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=XBgJ4Sr1y_pvDRrLi1vskiG-Ulspjdy9p6ulrlxpceg&e=>.  As described in this ballot, short-lived certificates (sometimes called “short-term certificates” in ETSI specifications <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.etsi.org_deliver_etsi-5Fen_319400-5F319499_31941201_01.04.04-5F60_en-5F31941201v010404p.pdf&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=TRmJf5Rw1HYEGlhrXDQ7uYlmwlE0m974V-_cD7CgM0o&e=>) are:
> 
> 
> optional.
>  CAs will not
>  be required to issue short-lived certificates. For TLS certificates that do not meet the definition of a short-lived certificate introduced in this proposed update, the current maximum validity period of 398 days remains applicable. 
> 
> 
> constrained to an initial maximum validity period of ten (10) days.
>  The proposal stipulates that short-lived certificates issued on or after 15 March 2026 must not have a Validity Period greater than seven (7) days.
> 
> 
> not required to contain a CRLDP or OCSP pointer and are not required to be revoked.
>  The primary mechanism of certificate invalidation for these short-lived certificates would be through certificate expiry. CAs may
> optionally
>  revoke short-lived certificates. The initial maximum certificate validity is aligned with the existing maximum values for CRL “nextUpdate” and OCSP response validity allowed by the BRs today. 
> 
> 
> Additional background, justification, and considerations are outlined here <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98_edit&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=W87ooYZa_uQCBeQgOr7Z-utpl_8sEddRJIpAIQmMhLo&e=>.
> 
> Proposal Revision History:
> 
> 
> The set of updates resulting from the first round of discussion are presented
> here <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ryancdickson_staging_pull_3_files&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=S9NNy0AWY7MbjSihtFsGjSzLBi5DXJhQJrHHx8M7X2M&e=>.
> 
> 
> The set of updates resulting from the second round of discussion are presented
> here <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ryancdickson_staging_pull_5_files&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=ug_pW_LWM26KT01cty-4jgSdrtJcTwJ2OAyWmR90rbg&e=>.
> 
> 
> The set of updates resulting from the third round of discussion are presented
> here <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ryancdickson_staging_pull_7_files&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=oRn6ZXSTjTzYyJOkicDBbqlygnW7pssbBGrV8BkxZYc&e=>. 
> 
> 
> The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by Kiran Tummala of Microsoft and Tim Callan of Sectigo.
> 
> 
> — Motion Begins —
> 
> This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.
> 
> MODIFY the Baseline Requirements as specified in the following Redline: 
> https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..b8a0453e59ff342779d5083f2f1f8b8b5930a66a <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_compare_a0360b61e73476959220dc328e3b68d0224fa0b3..b8a0453e59ff342779d5083f2f1f8b8b5930a66a&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=G48L8jtUIcgxytz0JISOggK92smCTC58U7NhsITQGyM&e=> 
> 
> 
> — Motion Ends —
> 
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
> 
> Discussion (13+ days)
> 
> Start time: 2023-06-22 20:30:00 UTC
> 
> 
> End time: 2023-07-06 15:59:59 UTC
> 
> 
> Vote for approval (7 days)
> 
> Start time: 2023-07-06 16:00:00 UTC
> 
> 
> End time: 2023-07-13 16:00:00 UTC
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=bNPUZYTOLUCU9dyU-u6tRUqzMGcT9EGbe2L0s-d5gzc&s=D4zkNYqA1IGMPuOpzS8-0_ZnpDHP7I2FUVqCHahUyXU&e=


WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230707/03f54c74/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3407 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230707/03f54c74/attachment-0001.p7s>


More information about the Servercert-wg mailing list