[Servercert-wg] [EXTERNAL] Seeking endorsers for Ballot SC-076 "Clarify and improve OCSP requirements"

Fri Aug 9 21:08:12 UTC 2024

Hi Aaron,

Thanks for the ballot proposal.

I have feedback from our team is it would be great to have 3 months or so to make sure that this requirement as addressed properly - “Authoritative OCSP responses MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the certificate signing operation occurs.”

Could we add in an effective date for this requirement?

Thanks, Bruce.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Aaron Gable via Servercert-wg
Sent: Friday, August 9, 2024 2:54 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] Seeking endorsers for Ballot SC-076 "Clarify and improve OCSP requirements"

This ballot has grown out of discussions around whether OCSP responses must be made available for Precertificates, and how quickly they must be made available after initial issuance. Much of that conversation is captured in this bugzilla incident and

This ballot has grown out of discussions around whether OCSP responses must be made available for Precertificates, and how quickly they must be made available after initial issuance. Much of that conversation is captured in this bugzilla incident<https://urldefense.com/v3/__https:/bugzilla.mozilla.org/show_bug.cgi?id=1905419__;!!FJ-Y8qCqXTj2!dah43yGb4Pf_aNlBECZ6K6S41egFls1ClnimauCXjklwLFBvkfXVPhGQqR7jrEkx27xPuvMsdgZg2YPHI25eSbn38alHzQ$> and this Mozilla issue<https://urldefense.com/v3/__https:/github.com/mozilla/pkipolicy/issues/280__;!!FJ-Y8qCqXTj2!dah43yGb4Pf_aNlBECZ6K6S41egFls1ClnimauCXjklwLFBvkfXVPhGQqR7jrEkx27xPuvMsdgZg2YPHI25eSblHNIDx5Q$>.

In addition, I've often felt like Sections 4.9.9 and 4.9.10 are poorly laid out, with little rhyme or reason as to why any particular requirement lives in one section or the other. RFC 3647 says that Section 4.9.10 is meant to place requirements on relying parties, not on CAs, which explains much of the confusion.

The result is a total rearrangement of Sections 4.9.9 and 4.9.10. This ballot empties 4.9.10, moves all of its requirements into 4.9.9, and arranges them into three sections:
- A few definitions (which apply only in this section);
- Requirements which apply to OCSP Responders whose URLs are found in the AIA OCSP field of certificates; and
- Requirements which apply to all OCSP Responses, regardless of how it was queried.

The PR representing this ballot is here: https://github.com/cabforum/servercert/pull/535<https://urldefense.com/v3/__https:/github.com/cabforum/servercert/pull/535__;!!FJ-Y8qCqXTj2!dah43yGb4Pf_aNlBECZ6K6S41egFls1ClnimauCXjklwLFBvkfXVPhGQqR7jrEkx27xPuvMsdgZg2YPHI25eSbnd3aMMCg$>

Please let me know if you have any comments or suggested changes on the GitHub PR, and please let me know if you'd be willing to endorse.

Thank you,
Aaron
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240809/c38da458/attachment.html>