We were looking at some of the details in Ballot SC-063 V4: Make OCSP Optional, Require CRLs, and Incentivize Automation
https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc 4e6f133c/docs/BR.md#721-version-numbers We have 2 comments in the area of CRLs and Reason codes: #1: For certificateHold it says: MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a notBefore on-or-after 2020-09-30. We'd like to suggest a change because: 1. Regarding "2) a Certificate not subject to these Requirements", If "these Requirements" means the BRs, how is it that the BRs can place requirements on non TLS certificates? Maybe this was an old requirement related to ICAs that issued both TLS and non-TLS certificates, which isn't a concern anymore 2. This also has a back dated requirement given that it places requirements that were issued prior to this ballot being adopted (for certs not subject to these Requirements.) We recommend removing #2. It's not urgent so maybe we do this in the next clean-up. I opened this issue to track this: https://github.com/cabforum/servercert/issues/506 ===================================== #2: This ballot was to make CRLs required, but there isn't a requirement to included CDP into the TLS certificates. Is this intentional, or should we go through the BR and update to make it clear that for certificates that are not short lived certificates CDP is required and AIA is optional? Perhaps there was a discussion prior that documented this. For example, https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc 4e6f133c/docs/BR.md#712112-crl-distribution-points says: The CRL Distribution Points extension MUST be present in: * Subordinate CA Certificates; and * Subscriber Certificates that 1) do not qualify as "Short-lived Subscriber Certificates" and 2) do not include an Authority Information Access extension with an id-ad-ocsp accessMethod. Which implies you can omit CDP if you have id-ad-ocsp accessMethod. You could interpret these sections as including the CDP is optional. https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc 4e6f133c/docs/BR.md#712112-crl-distribution-points https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc 4e6f133c/docs/BR.md#71276-subscriber-certificate-extensions If the intent of the ballot is to ensure that every TLS CA has a CRL, but CDP is not required, then we should make that more clear in various places. Issue created: https://github.com/cabforum/servercert/issues/505 Regards, Doug
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
