This discussion is related to Issue #211 on GitHub
<https://github.com/mozilla/pkipolicy/issues/211>.

Effective September 30, 2020, as a result of the Browser Alignment Ballot
<https://cabforum.org/2020/07/16/ballot-sc31-browser-alignment/>, section
4.9.10 of the CA/Browser Forum’s BaselineRequirements
<https://cabforum.org/baseline-requirements-documents/> (BR§4.9.10) says
that a CA’s OCSP responses must meet certain requirements. The purpose of
this email is to determine whether changes should be made to section 6 of
the Mozilla Root Store Policy
<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#6-revocation>
(MRSP§6) to bring it closer to the Forum’s requirements for OCSP responses.
There are a few possible paths forward, including:

*Option 1* - Leave “as is” because MRSP§6 doesn’t conflict with the
Baseline Requirements.  MRSP§6 currently says,

“For end-entity certificates, if the CA provides revocation information via
an Online Certificate Status Protocol (OCSP) service:

· it MUST update that service at least every four days; and

· responses MUST have a defined value in the nextUpdate field, and it MUST
be no more than ten days after the thisUpdate field; and

· the value in the nextUpdate field MUST be before or equal to the notAfter
date of all certificates included within the BasicOCSPResponse.certs field
or, if the certs field is omitted, before or equal to the notAfter date of
the CA certificate which issued the certificate that the BasicOCSPResponse
is for.”

*Option 2* - MRSP§6 could simply incorporate by reference all of BR§4.9.10,
but then quite a few new OCSP requirements would also be adopted, some of
which people might find useful.



*Option 3* - Paste only language from BR§4.9.10’s subsections (1) through
(4) (for Subscriber/End-Entity Certificates) into MRSP§6.  Those four
subsections state:  “(1) OCSP responses MUST have a validity interval
greater than or equal to eight hours; (2) OCSP responses MUST have a
validity interval less than or equal to ten days; (3) For OCSP responses
with validity intervals less than sixteen hours, then the CA SHALL update
the information provided via an Online Certificate Status Protocol prior to
one-half of the validity period before the nextUpdate; and (4) For OCSP
responses with validity intervals greater than or equal to sixteen hours,
then the CA SHALL update the information provided via an Online Certificate
Status Protocol at least eight hours prior to the nextUpdate, and no later
than four days after the thisUpdate.”  The drawback of this approach would
come when trying to synchronize the language—it would not be in lockstep
with relevant changes to the BRs.



*Option 4* - Amend MRSP§6 to just incorporate by reference the above
subsections, i.e., “subsections (1) through (4) of BR§4.9.10, which deal
with the OCSP status responses for Subscriber Certificates, are hereby
incorporated by reference”.  This approach has a similar drawback if
additional subsections are added, and it doesn’t include other language in
BR§4.9.10 that some might find useful.

*Option 5* - Other

Finally, under the options above, can anyone think why different language
might be needed for OCSP responses for non-SSL/TLS (e.g. SMIME)
implementations?

Thanks in advance for your suggestions / recommendations.

Ben Wilson
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to