[Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”

Aaron Gable aaron at letsencrypt.org
Thu May 4 16:28:08 UTC 2023


On Thu, May 4, 2023 at 1:09 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

>
>  I support that approach to change both for consistency. Perhaps something
> like:
>
> "The CA MUST update and reissue CRLs at least 1) once every 7 days; or 2)
> within 24 hours after conclusively determining *recording *that a
> certificate within that CRL's scope must be revoked."
>
> I prefer to use the word "record" which should leave a trace if needed. I
> also removed "within that CRL's scope" because it seems obvious that we are
> discussing about the CRL associated with a specific CA. Other suggestions
> for the language are welcome :)
>

 "Record" seems fine to me. But "within that CRL's scope" is, I think,
important and non-obvious. If a CA is issuing partitioned CRLs with 128
shards, and a certificate is revoked which falls into shard 0, should the
CA also be required to update and re-issue shards 1-127 within the same
timeframe? Maybe the answer is "yes", in which case removing those words is
fine, but if the answer is "no" then I think they're important.

Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230504/1a041904/attachment.html>


More information about the Servercert-wg mailing list