[Servercert-wg] Notice of Review Period: Ballot SC63 - Make OCSP optional, require CRLs and Incentivize Automation

Aaron Gable aaron at letsencrypt.org
Mon Jul 31 22:47:24 UTC 2023


In addition, I would state that I believe the ballot is clear that
operating OCSP is still required as long as any unexpired certificate
contains an AIA OCSP URL: Sections 4.9.9 and 4.9.10 state that they "apply
for communicating the status of Certificates which include an Authority
Information Access extension with an id-ad-ocsp accessMethod". So even
after 15 March 2024, OCSP services cannot simply be shut down until all
certificates which reference them have expired.

Aaron

On Fri, Jul 28, 2023 at 12:37 PM Bruce Morton via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Agreed.
>
>
>
> Bruce.
>
>
>
> *From:* Tim Hollebeek <tim.hollebeek at digicert.com>
> *Sent:* Friday, July 28, 2023 3:33 PM
> *To:* Bruce Morton <Bruce.Morton at entrust.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Inigo
> Barreira <Inigo.Barreira at sectigo.com>
> *Subject:* [EXTERNAL] RE: Notice of Review Period: Ballot SC63 - Make
> OCSP optional, require CRLs and Incentivize Automation
>
>
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> ------------------------------
>
> Just a helpful reminder to everyone trying to comply with this ballot to
> also check the Microsoft Root Program and its requirements around OCSP,
> which haven’t changed.
>
>
>
> I don’t want anyone accidentally running afoul of those program
> requirements because they read the BRs in isolation.
>
>
>
> -Tim
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Bruce
> Morton via Servercert-wg
> *Sent:* Friday, July 28, 2023 9:32 AM
> *To:* Inigo Barreira <Inigo.Barreira at sectigo.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] Notice of Review Period: Ballot SC63 -
> Make OCSP optional, require CRLs and Incentivize Automation
>
>
>
> Was just doing an implementation review of this ballot and the “optional”
> date for not supporting OCSP is confusing. Section 4.10.2 states “The CA
> SHALL operate and maintain its CRL and optional OCSP capability with
> resources sufficient to provide a response time of ten seconds or less
> under normal operating conditions.” There are no conditions. I will
> interpret that the ballot’s intent is that effective 15 March 2024, OCSP is
> optional and CRL is mandatory.
>
>
>
> Please advise, if I missed a condition for removal of OCSP in another
> section.
>
>
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Inigo
> Barreira via Servercert-wg
> *Sent:* Monday, July 17, 2023 6:32 AM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL] [Servercert-wg] Notice of Review Period: Ballot
> SC63 - Make OCSP optional, require CRLs and Incentivize Automation
>
>
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> ------------------------------
>
> *NOTICE OF REVIEW PERIOD*
>
> This Review Notice is sent pursuant to Section 4.1 of the CA/Browser
> Forum’s Intellectual Property Rights Policy (v1.3). This Review Period of
> 30 days is for one Final Maintenance Guidelines. The complete Draft
> Maintenance Guideline that is the subject of this Review Notice is attached
> to this email, both in red-line and changes-accepted draft format, in Word
> and PDF versions.
>
>
>
> *Summary of Review*
>
> *Ballot for Review: *Ballot SC-063 v4: Make OCSP Optional, Require CRLs,
> and Incentivize Automation – CAB Forum
> <https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/2023/07/14/ballot-sc-063-v4make-ocsp-optional-require-crls-and-incentivize-automation/___.YXAzOmRpZ2ljZXJ0OmE6bzo1MzJjODcwNzcwNDkxMDdmNDA3ZWY5NzAwMzFmYTQ4Nzo2OjQ4M2E6Zjg1NmVhNjEzNzBiNjM1ZjU2MjliNGJiOWM5Y2NjYzQ3MjkwOTZhYWZkNDE0ZWExY2MxNWU2YjY2MzFkZmRiYjpoOkY__;!!FJ-Y8qCqXTj2!aQNsILvFywxilb1UCK0gielDofnYv72PFhLWnK187fgBTQUpfH_GmAusrLy3A1IJot99ANFTiXJfxmVeWH2yt7P4RI2f$>
>
>
>
> *Start of Review Period: 17 July 2023 at 17:00 Eastern Time*
>
> *End of Review Period: 17 August 2023 at 17:00 Eastern Time*
>
>
>
> Members with any Essential Claim(s) to exclude must forward a written
> Notice to Exclude Essential Claims to the Working Group Chair (email to
> Iñigo Barreira <inigo.barreira at sectigo.com>) and also submit a copy to
> the CA/B Forum public mailing list (email to public at cabforum.org<mailto:public
> at cabforum.org <public%20at%20cabforum.org>>) before the end of the
> Review Period.
>
> For details, please see the current version of the CA/Browser Forum
> Intellectual Property Rights Policy
> <https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/CABF-IPR-Policy-v.1.3_4APR18.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzo1MzJjODcwNzcwNDkxMDdmNDA3ZWY5NzAwMzFmYTQ4Nzo2OmM5YzA6OTQ3Y2U4YzBjOGI4NWVjNmMxYmZmMjM4ZDQxMmE2ZWY1MTZkODNmOWM2MTIzZTYyNDU5ZjM4MjE4OTgyZjg3NDpoOkY__;!!FJ-Y8qCqXTj2!aQNsILvFywxilb1UCK0gielDofnYv72PFhLWnK187fgBTQUpfH_GmAusrLy3A1IJot99ANFTiXJfxmVeWH2ytx9L45tx$>
> .
>
> (An optional template for submitting an Exclusion Notice is available at
> https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf
> <https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzo1MzJjODcwNzcwNDkxMDdmNDA3ZWY5NzAwMzFmYTQ4Nzo2OmQwODM6NTkxOTlhYTFkYWE0MjJiYzJkNThhOGEzZjk4ZDM1YWE1N2U0MGZkOTBjYWIwMDA3Njk4MTM1N2QwNjgxMGQ1NjpoOkY__;!!FJ-Y8qCqXTj2!aQNsILvFywxilb1UCK0gielDofnYv72PFhLWnK187fgBTQUpfH_GmAusrLy3A1IJot99ANFTiXJfxmVeWH2yty87Wwg2$>
> )
>
> *Any email and files/attachments transmitted with it are intended solely
> for the use of the individual or entity to whom they are addressed. If this
> message has been sent to you in error, you must not copy, distribute or
> disclose of the information it contains. Please notify Entrust immediately
> and delete the message from your system.*
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230731/688ac487/attachment.html>


More information about the Servercert-wg mailing list