<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">HARICA votes "yes" for ballot 189.<br>
<br>
Dimitris.<br>
<br>
On 5/4/2017 10:46 πμ, Dimitris Zacharopoulos via Public wrote:<br>
</div>
<blockquote
cite="mid:769d5837-d9b8-8794-541d-be820f5beb00@it.auth.gr"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<br>
After the recent discussion, the ballot is now updated with
simpler language. Voting starts tomorrow April 6th.<br>
<br>
Dimitris.<br>
<br>
<br>
<div class="moz-forward-container"><strong>Ballot 189 - Amend
Section 6.1.7 of Baseline Requirements</strong> <span
class="anchor" id="line-3"></span><span class="anchor"
id="line-4"></span>
<p class="line874">The following motion has been proposed by
Dimitris Zacharopoulos of HARICA and endorsed by Bruce Morton
of Entrust and Jeremy Rowley of Digicert <span class="anchor"
id="line-5"></span><span class="anchor" id="line-6"></span></p>
<p class="line867"><strong>Background</strong>: <span
class="anchor" id="line-7"></span><span class="anchor"
id="line-8"></span></p>
<p class="line874">Section 6.1.7 of the Baseline Requirements
states that the Root CA Private Keys MUST NOT be used to sign
end-entity certificates, with some exceptions. It is unclear
if this exception list includes end-entity certificates with
EKU id-kp-timeStamping. This ballot attempts to clarify two
things: <span class="anchor" id="line-9"></span><span
class="anchor" id="line-10"></span></p>
<ol type="1">
<li>that it affects Root Keys in a hierarchy that issues SSL
Certificates and <span class="anchor" id="line-11"></span></li>
<li>that it does not include time stamping certificates in the
exception list. <span class="anchor" id="line-12"></span><span
class="anchor" id="line-13"></span></li>
</ol>
<p class="line874">It also clears the exception language for
1024-bit RSA Subscriber Certificates and testing products with
Certificates issued by a Root. <span class="anchor"
id="line-14"></span><span class="anchor" id="line-15"></span></p>
<p class="line867"><strong>-- MOTION BEGINS --</strong> <span
class="anchor" id="line-16"></span><span class="anchor"
id="line-17"></span></p>
<p class="line867"><em>Current section 6.1.7</em> <span
class="anchor" id="line-18"></span><span class="anchor"
id="line-19"></span></p>
<p class="line874">Root CA Private Keys MUST NOT be used to sign
Certificates except in the following cases: <span
class="anchor" id="line-20"></span><span class="anchor"
id="line-21"></span></p>
<ol type="1">
<li>Self-signed Certificates to represent the Root Certificate
itself; <span class="anchor" id="line-22"></span></li>
<li>Certificates for Subordinate CAs and Cross Certificates; <span
class="anchor" id="line-23"></span></li>
<li>Certificates for infrastructure purposes (e.g.
administrative role certificates, internal CA operational
device certificates, and OCSP Response verification
Certificates); <span class="anchor" id="line-24"></span></li>
<li>Certificates issued solely for the purpose of testing
products with Certificates issued by a Root CA; and <span
class="anchor" id="line-25"></span></li>
<li>Subscriber Certificates, provided that: <span
class="anchor" id="line-26"></span>
<ol type="a">
<li>The Root CA uses a 1024-bit RSA signing key that was
created prior to the Effective Date; <span
class="anchor" id="line-27"></span></li>
<li>The Applicant’s application was deployed prior to the
Effective Date; <span class="anchor" id="line-28"></span></li>
<li>The Applicant’s application is in active use by the
Applicant or the CA uses a documented process to
establish that the Certificate’s use is required by a
substantial number of Relying Parties; <span
class="anchor" id="line-29"></span></li>
<li>The CA follows a documented process to determine that
the Applicant’s application poses no known security
risks to Relying Parties; <span class="anchor"
id="line-30"></span></li>
<li>The CA documents that the Applicant’s application
cannot be patched or replaced without substantial
economic outlay. <span class="anchor" id="line-31"></span></li>
<li>The CA signs the Subscriber Certificate on or before
June 30, 2016; and <span class="anchor" id="line-32"></span></li>
<li>The notBefore field in the Subscriber Certificate has
a date on or before June 30, 2016 <span class="anchor"
id="line-33"></span><span class="anchor" id="line-34"></span></li>
</ol>
</li>
</ol>
<p class="line867"><em>Proposed section 6.1.7</em> <span
class="anchor" id="line-35"></span><span class="anchor"
id="line-36"></span></p>
<p class="line874">Private Keys corresponding to Root
Certificates MUST NOT be used to sign Certificates except in
the following cases: <span class="anchor" id="line-37"></span><span
class="anchor" id="line-38"></span></p>
<ol type="1">
<li>Self-signed Certificates to represent the Root CA itself;
<span class="anchor" id="line-39"></span></li>
<li>Certificates for Subordinate CAs and Cross Certificates; <span
class="anchor" id="line-40"></span></li>
<li>Certificates for infrastructure purposes (administrative
role certificates, internal CA operational device
certificates) <span class="anchor" id="line-41"></span></li>
<li>Certificates for OCSP Response verification; <span
class="anchor" id="line-42"></span><span class="anchor"
id="line-43"></span></li>
</ol>
<p class="line867"><strong>These changes become Effective 30
days after the ballot passes.</strong> <span class="anchor"
id="line-44"></span><span class="anchor" id="line-45"></span></p>
<p class="line867"><strong>-- MOTION ENDS --</strong> <span
class="anchor" id="line-46"></span><span class="anchor"
id="line-47"></span></p>
<p class="line874">The procedure for this ballot is as follows
(exact start and end times may be adjusted to comply with
applicable Bylaws and IPR Agreement): <span class="anchor"
id="line-48"></span><span class="anchor" id="line-49"></span></p>
<div>
<table>
<tbody>
<tr>
<td style="background-color: #E0E0FF">
<p class="line862">BALLOT 189 Status: Amend BR 6.1.7 </p>
</td>
<td colspan="2" style="background-color: #E0E0FF;
text-align: center">
<p class="line862"> Start time (22:00 UTC) </p>
</td>
<td colspan="2" style="background-color: #E0E0FF;
text-align: center">
<p class="line862"> End time (22:00 UTC) </p>
</td>
</tr>
<tr>
<td><span class="anchor" id="line-50"></span>
<p class="line862"> Discussion (7 days) </p>
</td>
<td colspan="2" style="text-align: center">
<p class="line862"> 30 March 2017 </p>
</td>
<td colspan="2" style="text-align: center">
<p class="line862"> 6 April 2017 </p>
</td>
</tr>
<tr>
<td><span class="anchor" id="line-51"></span>
<p class="line862"> Vote for approval (7 days) </p>
</td>
<td colspan="2" style="text-align: center">
<p class="line862"> 6 April 2017 </p>
</td>
<td colspan="2" style="text-align: center">
<p class="line862"> 13 April 2017 </p>
</td>
</tr>
<tr>
<td style="text-align: left;"><span class="anchor"
id="line-52"></span>
<p class="line862">If vote approves ballot: Review
Period (Chair to send Review Notice) (30 days)<br>
If Exclusion Notice(s) filed, ballot approval is
rescinded and PAG to be created.<br>
If no Exclusion Notices filed, ballot becomes
effective at end of Review Period.<br>
Votes must be cast by posting an on-list reply to
this thread on the Public Mail List.</p>
</td>
<td colspan="2" style="text-align: center">
<p class="line862">Upon filing of Review Notice by
Chair</p>
</td>
<td colspan="2" style="text-align: center">
<p class="line862">30 days after filing of Review
Notice by Chair</p>
</td>
</tr>
</tbody>
</table>
</div>
<span class="anchor" id="line-53"></span><span class="anchor"
id="line-54"></span>
<p class="line874">From Bylaw 2.3: If the Draft Guideline Ballot
is proposing a Final Maintenance Guideline, such ballot will
include a redline or comparison showing the set of changes
from the Final Guideline section(s) intended to become a Final
Maintenance Guideline, and need not include a copy of the full
set of guidelines. Such redline or comparison shall be made
against the Final Guideline section(s) as they exist at the
time a ballot is proposed, and need not take into
consideration other ballots that may be proposed subsequently,
except as provided in Bylaw Section 2.3(j). <span
class="anchor" id="line-55"></span><span class="anchor"
id="line-56"></span></p>
<p class="line862">Votes must be cast by posting an on-list
reply to this thread on the Public list. A vote in favor of
the motion must indicate a clear 'yes' in the response. A vote
against must indicate a clear 'no' in the response. A vote to
abstain must indicate a clear 'abstain' in the response.
Unclear responses will not be counted. The latest vote
received from any representative of a voting member before the
close of the voting period will be counted. Voting members are
listed here: <a moz-do-not-send="true" class="https"
href="https://cabforum.org/members/">https://cabforum.org/members/</a>
<span class="anchor" id="line-57"></span><span class="anchor"
id="line-58"></span></p>
In order for the motion to be adopted, two thirds or more of the
votes cast by members in the CA category and greater than 50% of
the votes cast by members in the browser category must be in
favor. Quorum is shown on CA/Browser Forum wiki. Under Bylaw
2.2(g), at least the required quorum number must participate in
the ballot for the ballot to be valid, either by voting in
favor, voting against, or abstaining. <br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>