[cabfpub] Ballot 106 - Extended deadline to prohibit OCSP good response for non-issued certificates

Tue Jul 23 20:42:52 UTC 2013

Google votes No

Similar to Opera's views expressed during discussion, this would be a
real step back, both for the CA/B Forum as a whole and for the value
of the Baseline Requirements, in that it rewards the slowest movers
and penalizes CAs that invest the time and energy into adapting to
ongoing security threats. The security of the system relies on the
ability of the various actors to rapidly respond to issues - and
failure to do so should not be rewarded.

Given how much lead time has been incorporated here - from the
original discussions, to the original ballot, to the inevitable
incorporation into the appropriate auditing criteria, to the
incorporation of the auditing criteria in to the root store programs -
it seems dangerous to suggest more time is needed, especially when it
effectively resets these clocks.

If the event this ballot fails, if there are CAs that fall out of BR
compliance, then as a root store, we'd be looking at a number of
actions to take in response, including not granting any special
indicators that users associate with higher security, such as EV.

On Tue, Jul 23, 2013 at 9:43 AM, Ben Wilson <ben at digicert.com> wrote:
> Ballot 106 – Extended Deadline to Prohibit OCSP “Good” Response for
> Non-Issued Certificates
>
>
>
> Given that several CAs have notified the CA/Browser Forum that they will be
> unable to comply with the 1-August-2013 deadline by which OCSP responders
> MUST NOT respond with a "good" status for unissued certificates, and that a
> one-year extension of this deadline is an appropriate timeframe by which
> these CAs should be able to come into compliance;
>
>
>
> Kelvin Yiu made the following motion, and Eddy Nigg from StartCom,  Ryan
> Hurst from GlobalSign,  and Iida Yosiaki from SECOM, and Inigo Barreira of
> Izenpe endorsed it:
>
>
>
> Motion Begins
>
>
>
> EFFECTIVE RETROACTIVELY TO 1 AUGUST 2013,
>
>
>
> The last sentence of Section 13.2.6 of the Baseline Requirements (Response
> for non-issued certificates) is hereby amended to read as follows:
>
>
>
> “Effective 1 August 2014, OCSP responders MUST NOT respond with a "good"
> status for such certificates.”
>
>
>
> Motion Ends
>
>
>
> The ballot review period comes into effect immediately upon posting today
> (Tuesday, 23 July 2013) and will close at 2200 UTC on Tuesday, 30 July 2013.
> Unless the ballot is withdrawn or modified during the review period, the
> voting period will start immediately thereafter and will close at 2200 UTC
> on Tuesday, 6 August 2013.  If the ballot is modified for reasons other than
> to correct minor typographical errors, then the ballot will be deemed to
> have been withdrawn.
>
>
>
> Votes must be cast by posting an on-list reply to this thread.
>
>
>
> A vote in favor of the ballot must indicate a clear 'yes' in the response.
>
>
>
> A vote against the ballot must indicate a clear 'no' in the response. A vote
> to abstain must indicate a clear 'abstain' in the response. Unclear
> responses will not be counted. The latest vote received from any
> representative of a voting member before the close of the voting period will
> be counted.
>
>
>
> Voting members are listed here: http://www.cabforum.org/forum.html
>
>
>
> In order for the motion to be adopted, two thirds or more of the votes cast
> by members in the CA category and more than one half of the votes cast by
> members in the browser category must be in favor. Also, quorum is currently
> set at seven (7) members-- at least seven members must participate in the
> ballot, either by voting in favor, voting against, or by abstaining for the
> vote to be valid.
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>