[Servercert-wg] [EXTERNAL] Discussion Period Begins - Ballot SC-063 V2: “Make OCSP Optional, Require CRLs, and Incentivize Automation”
Aaron Gable
aaron at letsencrypt.org
Wed May 17 23:08:26 UTC 2023
Ryan,
Thanks for opening another discussion period! I think I am in favor of all
of the language in this ballot. As is my wont, I've left another bevvy of
comments directly on the PR
<https://github.com/cabforum/servercert/pull/414#pullrequestreview-1431753474>,
but they're basically all about organization, not about content.
On Wed, May 17, 2023 at 11:32 AM Bruce Morton via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi Ryan,
>
>
>
> Per the Short-lived Subscriber Certificate definition, many CAs may
> already issue certificates with a short validity period. I also think the
> definition is missing the intended use which is a certificate with no
> certificate status. How about this definition?
>
>
>
> **Short-lived Subscriber Certificate**: Certificate issued with a short
> Validity Period, where the CA MAY NOT provide Subscriber Certificate status.
>
>
>
> The validity period does not need to go in the definition as it is
> addressed in section 6.3.2.
>
>
In the current version of this ballot, the validity period cutoffs for
Short-Lived Subscriber Certificates are not actually contained in Section
6.3.2 anymore. In the previous version, they were defined in two places; I
suggested consolidating that definition to just Section 1.6.1 Definitions.
I personally like using the definitions section to define what a
Short-Lived Subscriber Certificate *is*, and then having the document
elsewhere describe what costs and benefits such a certificate has. This
matches, for example, the way that the Definitions section simply defines
"P-Label" and "Non-Reserved LDH Label", but then leaves it up to Section
7.1.2.7.12 to describe why those definitions are important.
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230517/4387485c/attachment.html>
More information about the Servercert-wg
mailing list