In addition, I would state that I believe the ballot is clear that operating OCSP is still required as long as any unexpired certificate contains an AIA OCSP URL: Sections 4.9.9 and 4.9.10 state that they "apply for communicating the status of Certificates which include an Authority Information Access extension with an id-ad-ocsp accessMethod". So even after 15 March 2024, OCSP services cannot simply be shut down until all certificates which reference them have expired.
Aaron On Fri, Jul 28, 2023 at 12:37 PM Bruce Morton via Servercert-wg < [email protected]> wrote: > Agreed. > > > > Bruce. > > > > *From:* Tim Hollebeek <[email protected]> > *Sent:* Friday, July 28, 2023 3:33 PM > *To:* Bruce Morton <[email protected]>; CA/B Forum Server > Certificate WG Public Discussion List <[email protected]>; Inigo > Barreira <[email protected]> > *Subject:* [EXTERNAL] RE: Notice of Review Period: Ballot SC63 - Make > OCSP optional, require CRLs and Incentivize Automation > > > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > ------------------------------ > > Just a helpful reminder to everyone trying to comply with this ballot to > also check the Microsoft Root Program and its requirements around OCSP, > which haven’t changed. > > > > I don’t want anyone accidentally running afoul of those program > requirements because they read the BRs in isolation. > > > > -Tim > > > > *From:* Servercert-wg <[email protected]> *On Behalf Of > *Bruce > Morton via Servercert-wg > *Sent:* Friday, July 28, 2023 9:32 AM > *To:* Inigo Barreira <[email protected]>; CA/B Forum Server > Certificate WG Public Discussion List <[email protected]> > *Subject:* Re: [Servercert-wg] Notice of Review Period: Ballot SC63 - > Make OCSP optional, require CRLs and Incentivize Automation > > > > Was just doing an implementation review of this ballot and the “optional” > date for not supporting OCSP is confusing. Section 4.10.2 states “The CA > SHALL operate and maintain its CRL and optional OCSP capability with > resources sufficient to provide a response time of ten seconds or less > under normal operating conditions.” There are no conditions. I will > interpret that the ballot’s intent is that effective 15 March 2024, OCSP is > optional and CRL is mandatory. > > > > Please advise, if I missed a condition for removal of OCSP in another > section. > > > > > > Thanks, Bruce. > > > > *From:* Servercert-wg <[email protected]> *On Behalf Of > *Inigo > Barreira via Servercert-wg > *Sent:* Monday, July 17, 2023 6:32 AM > *To:* CA/B Forum Server Certificate WG Public Discussion List < > [email protected]> > *Subject:* [EXTERNAL] [Servercert-wg] Notice of Review Period: Ballot > SC63 - Make OCSP optional, require CRLs and Incentivize Automation > > > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > ------------------------------ > > *NOTICE OF REVIEW PERIOD* > > This Review Notice is sent pursuant to Section 4.1 of the CA/Browser > Forum’s Intellectual Property Rights Policy (v1.3). This Review Period of > 30 days is for one Final Maintenance Guidelines. The complete Draft > Maintenance Guideline that is the subject of this Review Notice is attached > to this email, both in red-line and changes-accepted draft format, in Word > and PDF versions. > > > > *Summary of Review* > > *Ballot for Review: *Ballot SC-063 v4: Make OCSP Optional, Require CRLs, > and Incentivize Automation – CAB Forum > <https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/2023/07/14/ballot-sc-063-v4make-ocsp-optional-require-crls-and-incentivize-automation/___.YXAzOmRpZ2ljZXJ0OmE6bzo1MzJjODcwNzcwNDkxMDdmNDA3ZWY5NzAwMzFmYTQ4Nzo2OjQ4M2E6Zjg1NmVhNjEzNzBiNjM1ZjU2MjliNGJiOWM5Y2NjYzQ3MjkwOTZhYWZkNDE0ZWExY2MxNWU2YjY2MzFkZmRiYjpoOkY__;!!FJ-Y8qCqXTj2!aQNsILvFywxilb1UCK0gielDofnYv72PFhLWnK187fgBTQUpfH_GmAusrLy3A1IJot99ANFTiXJfxmVeWH2yt7P4RI2f$> > > > > *Start of Review Period: 17 July 2023 at 17:00 Eastern Time* > > *End of Review Period: 17 August 2023 at 17:00 Eastern Time* > > > > Members with any Essential Claim(s) to exclude must forward a written > Notice to Exclude Essential Claims to the Working Group Chair (email to > Iñigo Barreira <[email protected]>) and also submit a copy to > the CA/B Forum public mailing list (email to public at > cabforum.org<mailto:public > at cabforum.org <public%20at%20cabforum.org>>) before the end of the > Review Period. > > For details, please see the current version of the CA/Browser Forum > Intellectual Property Rights Policy > <https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/CABF-IPR-Policy-v.1.3_4APR18.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzo1MzJjODcwNzcwNDkxMDdmNDA3ZWY5NzAwMzFmYTQ4Nzo2OmM5YzA6OTQ3Y2U4YzBjOGI4NWVjNmMxYmZmMjM4ZDQxMmE2ZWY1MTZkODNmOWM2MTIzZTYyNDU5ZjM4MjE4OTgyZjg3NDpoOkY__;!!FJ-Y8qCqXTj2!aQNsILvFywxilb1UCK0gielDofnYv72PFhLWnK187fgBTQUpfH_GmAusrLy3A1IJot99ANFTiXJfxmVeWH2ytx9L45tx$> > . > > (An optional template for submitting an Exclusion Notice is available at > https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf > <https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzo1MzJjODcwNzcwNDkxMDdmNDA3ZWY5NzAwMzFmYTQ4Nzo2OmQwODM6NTkxOTlhYTFkYWE0MjJiYzJkNThhOGEzZjk4ZDM1YWE1N2U0MGZkOTBjYWIwMDA3Njk4MTM1N2QwNjgxMGQ1NjpoOkY__;!!FJ-Y8qCqXTj2!aQNsILvFywxilb1UCK0gielDofnYv72PFhLWnK187fgBTQUpfH_GmAusrLy3A1IJot99ANFTiXJfxmVeWH2yty87Wwg2$> > ) > > *Any email and files/attachments transmitted with it are intended solely > for the use of the individual or entity to whom they are addressed. If this > message has been sent to you in error, you must not copy, distribute or > disclose of the information it contains. Please notify Entrust immediately > and delete the message from your system.* > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg >
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
