← CABF Ballot Browser
SC-076v2
passed
Ballot SC076v2: Clarify and improve OCSP requirements
Server Certificate Working Group
Key dates
- Effective date
- 15 Jan 2025 1 year ago
- Voting opened
- 26 Sep 2024 1 year ago
- Voting closed
- 03 Oct 2024 1 year ago
- Discussion opened
- 29 Aug 2024 1 year ago
- Discussion closed
- 26 Sep 2024 1 year ago
Resources
GitHub diff
https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...a8a36690802250cdbe508a6c1f99f700a5357bd3
https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...a8a36690802250cdbe508a6c1f99f700a5357bd3
Redline
https://cabforum.org/2024/10/14/ballot-sc076v2-clarify-and-improve-ocsp-requirements/BR-SC76-redlined.pdf
TBR-SC76-redlined.pdf
Mailing list
https://lists.cabforum.org/pipermail/servercert-wg/2024-August/004798.html
https://lists.cabforum.org/pipermail/servercert-wg/2024-August/004798.html
Document
https://cabforum.org/2024/10/14/ballot-sc076v2-clarify-and-improve-ocsp-requirements/BR-SC76.pdf
TBR-SC76.pdf
Document
https://cabforum.org/2024/10/14/ballot-sc076v2-clarify-and-improve-ocsp-requirements/BR-SC76.docx
TBR-SC76.docx
Document
https://cabforum.org/uploads/CABF-IPR-Policy-v.1.3_4APR18.pdf
CA/Browser Forum Intellectual Property Rights Policy
AI Summary
Ballot overview
- Ballot: SC076v2 Clarify and improve OCSP requirements (Server Certificate Working Group)
- Purpose: Address confusion about reserved serials, OCSP responder authoritative response timing, and how OCSP requirements apply when a certificate does not contain an AIA OCSP URL.
Key changes proposed
- OCSP response timing: OCSP responses must be available within 15 minutes of signing a certificate containing an AIA OCSP URL.
- Remove reserved serial concept: The ballot removes the concept of a reserved serial entirely.
- Restructure OCSP requirements:
- Move OCSP requirements into Section 4.9.9.
- Leave Section 4.9.10 empty (described as intended to place requirements on relying parties, not on CAs).
- Organize Section 4.9.9 into three clusters:
- Definitions of validity interval, assigned, and unassigned.
- Requirements on OCSP responders (apply only to responses from AIA OCSP URLs found in issued certs).
- Requirements on OCSP responses (apply to all responses regardless of whether the certificate has an AIA OCSP URL).
OCSP status availability requirement (from the provided diff)
- Effective 2025-01-15: For the status of a Subscriber Certificate or its corresponding Precertificate, an authoritative OCSP response MUST be available starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available.
Ballot approval result (from the ballot page)
- Voting results show 20 Issuers voting YES, 0 NO, 0 ABSTAIN; 2 Consumers voting YES, 0 NO, 0 ABSTAIN.
- The ballot page states Bylaws Requirements were MET and the ballot current status is passed.
- Effective date
- 2025-01-15
- Voting opened
- 2024-09-26
- Voting closed
- 2024-10-03
- Discussion opened
- 2024-08-29
- Discussion closed
- 2024-09-26
Applicability and conditions
2025-01-15 — An authoritative OCSP response MUST be available starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. For the status of a Subscriber Certificate or its corresponding Precertificate
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Certificate Issuers
20 yes
0 no
0 abstain
Certificate Consumers
2 yes
0 no
0 abstain
22
Yes
0
No
0
Abstain
Proposers
Aaron Gable (Let’s Encrypt / ISRG), and is endorsed by Ben Wilson (Mozilla) and Antonis Eleftheriadis (HARICA).
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot SC076v2: Clarify and improve OCSP requirementsBallot SC076v2: Clarify and improve OCSP requirementsVoting Results Certificate Issuers 20 votes total, with no abstentions:
View on cabforum.org →
Last fetched 16 hours ago