[Servercert-wg] Discussion Period Begins: Ballot SC-076 "Clarify and Improve OCSP Requirements"
Aaron Gable
aaron at letsencrypt.org
Wed Aug 28 23:10:52 UTC 2024
Hi Trevoli, thanks for the feedback!
All: since it looks like we're going to have to create a V2 ballot and
re-start the discussion period, please provide any other feedback that you
have ASAP so that all feedback can be incorporated before I begin V2.
On Wed, Aug 28, 2024 at 12:41 PM Ponds-White, Trev <trevolip at amazon.com>
wrote:
> Hi Aaron G.,
>
>
>
> We have some feedback on the ballot.
>
> Can you add the word “first” into the sentence about 15 minutes to
> reinforce that we are discussing just the first published response. Not
> responses associated with status changes. We think this will improve
> clarity and future litigation of this requirements. So the new sentence
> would read “starting no more than 15 minutes after the Certificate or
> Precertificate is *first* published or otherwise made available.”
>
Happy to make this change.
>
> Do we need “using any current or previous key associated with that CA
> subject;”? What is additional clarity is that trying to provide? It kind of
> reads as an endorsement of reusing keys for new CAs.
>
This line is carried forward from the existing language, and I didn't feel
like I had a strong reason to change it. But I'm happy to remove it (serial
uniqueness is covered by RFC 5280) since others think it is superfluous.
>
> When we read the lines starting at line 1391 we thought it might be more
> clear if there was a line break after the first sentence. So it would look
> like this instead:
>
> “If the OCSP responder receives a request for the status of a certificate
> serial number that is "unassigned", then the responder SHOULD NOT respond
> with a "good" status.
>
> If the OCSP responder is for a CA that is not Technically Constrained in
> line with [Section
> 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile)
> or [Section
> 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile),
> the responder MUST NOT respond with a "good" status for such requests."
>
I'd actually prefer not to make this change. The second sentence ends with
"...for such requests", and I think it is important that the antecedent of
that phrase be within the same paragraph.
Thanks,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240828/6ec5a5c6/attachment-0001.html>
More information about the Servercert-wg
mailing list