Clarify OCSP/CRL Availability Requirements #214
Comments
|
Discussions have been started on the m.d.s.p. and CA/B Forum server certificate list re: OCSP uptime requirements. https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/Pnyo3vhMhJY |
|
Section 4.10.2 of the Baseline Requirements says, "The CA SHALL maintain an online 24x7 Repository that application software can use to automatically check the current status of all unexpired Certificates issued by the CA." One proposal for a ballot in the CA/Browser Forum suggested adding: The Repository SHALL be continually available and the CA SHALL disclose its Service Level Objectives in its CPS for the Repository measured against the following Service Level Indicators at a minimum: Availability: Percent of OCSP and CRL service requests that receive a response conforming to Section 4.9.9. Service Level Indicators SHALL be measured across a 30-day rolling window. CAs SHALL specify the location from where the response time is measured in its CPS. |
|
I'm going to remove this from the version 2.9 batch of changes. |
Mozilla's expectations for OCSP and CRL availability do not appear to be very clear, and as a result CAs inconsistently report outages. For example, GlobalSign reported a recent multi-day service degradation but IdenTrust did not. The BRs require 24x7 availability, but services are never 100% available and I suspect that Mozilla doesn't want CAs to report every second of downtime recorded by their monitoring systems. I suggest creating some guidance for CAs. For example, Mozilla could require CAs to treat an outage (defined as: the majority of users can't get a response from the service within 10 seconds) of more than 45 minutes (roughly 99.9% availability over the period of a month) as an incident.
Alternately, one could argue that with with OneCRL and CRLite Mozilla doesn't care about availability of these services, and guidance should be that CAs don't need to report CRL/OCSP outages as incidents. Of course this leaves some sharp edges exposed - CAs that don't participate in CRLite, and Thunderbird users, for instance.
The text was updated successfully, but these errors were encountered: