<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Similar to SC38, I'm putting this one out as a heartbeat on the
discussion period (again, the holiday season has paused some
discussion on it, but I'm sure the issues can be resolved without
too much trouble).<br>
</p>
<p>I'm keen to retain this ballot as an editorial change as far as
possible - there are other issues regarding patching policy which
should be addressed via other ballots, and I don't really want to
fold further reaching changes into this one. Once I converse with
the endorsers I should have an updated ballot next week (after
2021-01-05).</p>
<p>Thanks,</p>
<p>Neil<br>
</p>
<div class="moz-cite-prefix">On 09/12/2020 10:44, Neil Dunbar via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000176471a93d9-8422d61c-dc14-473b-a964-8fb7260db878-000000@email.amazonses.com">This
begins the discussion period for Ballot SC39: Definition of
Critical Vulnerability
<br>
<br>
<br>
The following motion has been proposed by Neil Dunbar of TrustCor
and endorsed by Ben Wilson (Mozilla) and Corey Bonnel (DigiCert).
<br>
<br>
The NetSec discussion document for this ballot is attached to this
email.
<br>
<br>
Purpose of Ballot:
<br>
<br>
It was brought to the attention of the NetSec Subgroup that the
URL in the NCSSRs which points to the definitions of the CVSS
security scoring system is no longer the appropriate one; moreover
the definition of “Critical Vulnerability” is no longer strictly
correct by the definitions currently posted by NIST.
<br>
<br>
Definitions of terms should always be consistent, especially when
the term is canonically defined by an external body; references
should be updated as and when they change on the canonical source.
<br>
<br>
-- MOTION BEGINS --
<br>
<br>
This ballot modifies the “Network and Certificate System Security
Requirements” based on Version 1.5.
<br>
<br>
Under the section “Definitions”:
<br>
<br>
Remove the current definition:
<br>
<br>
Critical Vulnerability: A system vulnerability that has a CVSS
score of 7.0 or higher according to the NVD or an equivalent to
such CVSS rating (see <a class="moz-txt-link-freetext" href="http://nvd.nist.gov/home.cfm">http://nvd.nist.gov/home.cfm</a>), or as
otherwise designated as a Critical Vulnerability by the CA or the
CA/Browser Forum.
<br>
Insert a new definition:
<br>
<br>
Critical Vulnerability: A system vulnerability that has a CVSS
v3.0 score of 9.0 or higher according to the NVD or an equivalent
to such CVSS rating (see <a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln-metrics/cvss">https://nvd.nist.gov/vuln-metrics/cvss</a>),
or as otherwise designated as a Critical Vulnerability by the CA
or the CA/Browser Forum.
<br>
<br>
-- MOTION ENDS --
<br>
<br>
* WARNING *: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE
OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
<br>
<br>
A comparison of the changes can be found at:
<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/cabforum/servercert/compare/8f63128...neildunbar:54c201f">https://github.com/cabforum/servercert/compare/8f63128...neildunbar:54c201f</a>
<br>
<br>
This ballot proposes one Final Maintenance Guideline.
<br>
<br>
The procedure for approval of this ballot is as follows:
<br>
<br>
Discussion: (7+ days)
<br>
Start Time: 2020-12-09 17:00 UTC
<br>
End Time: not before 2020-12-16 17:00 UTC
<br>
<br>
Vote for approval (7 days)
<br>
Start Time: TBD
<br>
End Time: TBD
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
</body>
</html>