<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>TrustCor votes YES to Ballot SC33</p>
    <p>Regards,</p>
    <p>Neil<br>
    </p>
    <div class="moz-cite-prefix">On 07/08/2020 21:06, Wayne Thayer via
      Servercert-wg wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAPh8bk_wQ9T-d=-v-b1ieX-HSt9J7X7P8SzOxathtiB1knFiog@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div dir="ltr">
          <div>This begins the voting period for ballot <span
              class="gmail-il">SC33</span>: TLS Using ALPN Method</div>
          <div><br>
          </div>
          <div>Purpose of Ballot:</div>
          <div><br>
          </div>
          <div>In January 2018, a vulnerability affecting the ACME
            TLS-SNI-01 method of domain validation was disclosed [1].
            That method is an implementation of BR 3.2.2.4.10, which is
            still permitted by the BRs despite the vulnerability. Some
            Browsers have banned the use of method 10 unless mitigations
            for the vulnerability have been put into place, and one
            approach to mitigation - using application-layer protocol
            negotiation (ALPN) - has now been standardized by the IETF
            as RFC 8737. This ballot replaces the poorly specified and
            potentially insecure 'method 10' with a new 'method 20'
            based on RFC 8737.</div>
          <div><br>
          </div>
          <div>The ballot proposed no transition period during which
            method 10, or validations performed using method 10 may
            continue to be relied upon. The only known current use of
            method 10 is an implementation of RFC 8737 that would remain
            compliant (although it may require changes to the CA's CPS
            and the identifier of the method that is being logged when
            performing validations).<br>
          </div>
          <div><br>
          </div>
          <div>This ballot also limits the use of the new method to the
            specific FQDN that was validated - different subdomains
            require new validations, and wildcards are not permitted.
            This requirement is not the result of a specific known risk
            but rather stems from a belief that DNS-based validation
            methods are more appropriate for verifying control over an
            entire subdomain.<br>
          </div>
          <div><br>
          </div>
          <div>[1] <a
href="https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ"
              target="_blank" moz-do-not-send="true">https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ</a></div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div>
            <div dir="ltr">The following motion has been proposed by
              Wayne Thayer of Mozilla and endorsed by Roland Shoemaker
              of Let's Encrypt and Tim Hollebeek of DigiCert.<br>
            </div>
            <div><br>
              -- MOTION BEGINS --<br>
              <br>
              This <span>ballot</span> modifies the “Baseline
              Requirements for the Issuance and Management of
              Publicly-Trusted Certificates” as follows, based on
              Version 1.7.0:<br>
            </div>
            <div><br>
            </div>
            <div>MODIFY section 3.2.2.4 as defined in the following
              redline: <a
href="https://github.com/cabforum/documents/compare/df5bd3b00e3a215202dedafa68bf8f608d47041b...26913aa7f75a78eff1af5cb628451b9433011a67"
                target="_blank" moz-do-not-send="true">https://github.com/cabforum/documents/compare/df5bd3b00e3a215202dedafa68bf8f608d47041b...26913aa7f75a78eff1af5cb628451b9433011a67</a>
            </div>
            <div><br>
            </div>
            <div dir="ltr">-- MOTION ENDS --<br>
              <br>
              <br>
              This <span>ballot</span> proposes a Final Maintenance
              Guideline.<br>
              <br>
              The procedure for approval of this <span>ballot</span> is
              as follows:<br>
              <br>
              Discussion (7+ days)<br>
              <br>
              Start Time: 31-July, 2020 17:00 UTC<br>
              <br>
              End Time: not before 7-August, 2020 17:00 UTC<br>
            </div>
            <div dir="ltr"><br>
            </div>
            <div dir="ltr">Vote for approval (7 days)<br>
              <br>
              Start Time: 7-August, 2020 20:00 UTC<br>
              <br>
              End Time: 14-August, 2020 20:00 UTC<br>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
    </blockquote>
  </body>
</html>