[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Oct 18 00:10:00 MST 2019
On 2019-10-17 9:33 μ.μ., Ryan Sleevi via Servercert-wg wrote:
> The suggested resolution was a ballot that *only* changes 4.9.10, to say
>
> If the OCSP responder receives an OCSP request for the status of a
> serial number that has not been reserved or assigned, using any
> current or previous issuing key for the CA subject, then the responder
> SHOULD NOT respond with a "good" status. A serial number is considered
> reserved if it has appeared within a Precertificate, as described
> within RFC 6962, associated with that CA subject, either directly or
> via a Precertificate Signing Certificate. A serial number is
> considered assigned if it has appeared within a Certificate associated
> with that CA subject. OCSP responders for CAs that are not Technically
> Constrained in line with Section 7.1.5 MUST NOT respond with a "good"
> status for such certificates. The CA SHOULD monitor the responder for
> such requests as part of its security response procedures.
I believe this language is very difficult to understand, at least for
me. Perhaps we should break down these sentences defining what it means
for a serial number to be "reserved" or "assigned" (we don't need to add
in section 1.6.1) and then state the requirements. I think it would be
easier to read.
I also think that we no longer need to differentiate between Technically
Constrained subCAs and unconstrained ones. They all must adhere to the
MUST rule since 2013-08-01.
Dimitris.
More information about the Servercert-wg
mailing list