[Servercert-wg] Seeking endorsers for Ballot SC-076 "Clarify and improve OCSP requirements"
Aaron Gable
aaron at letsencrypt.org
Fri Aug 9 18:54:05 UTC 2024
This ballot has grown out of discussions around whether OCSP responses must
be made available for Precertificates, and how quickly they must be made
available after initial issuance. Much of that conversation is captured in this
bugzilla incident <https://bugzilla.mozilla.org/show_bug.cgi?id=1905419> and
this Mozilla issue <https://github.com/mozilla/pkipolicy/issues/280>.
In addition, I've often felt like Sections 4.9.9 and 4.9.10 are poorly laid
out, with little rhyme or reason as to why any particular requirement lives
in one section or the other. RFC 3647 says that Section 4.9.10 is meant to
place requirements on relying parties, not on CAs, which explains much of
the confusion.
The result is a total rearrangement of Sections 4.9.9 and 4.9.10. This
ballot empties 4.9.10, moves all of its requirements into 4.9.9, and
arranges them into three sections:
- A few definitions (which apply only in this section);
- Requirements which apply to OCSP Responders whose URLs are found in the
AIA OCSP field of certificates; and
- Requirements which apply to all OCSP Responses, regardless of how it was
queried.
The PR representing this ballot is here:
https://github.com/cabforum/servercert/pull/535
Please let me know if you have any comments or suggested changes on the
GitHub PR, and please let me know if you'd be willing to endorse.
Thank you,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240809/b9a56b22/attachment.html>
More information about the Servercert-wg
mailing list