<div dir="ltr">I have included proposed fixes for all of these items in a GitHub pull request, if that is an easier forum for discussion on these points: <a href="https://github.com/cabforum/servercert/pull/418">https://github.com/cabforum/servercert/pull/418</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 1, 2023 at 3:02 PM Aaron Gable <<a href="mailto:aaron@letsencrypt.org">aaron@letsencrypt.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi Ryan,</div><div><br></div><div>Thanks so much for continuing to push this forward. Apologies for not leaving these comments earlier; I totally could have noticed these if I was doing closer readings prior to the discussion period beginning. I'm also happy to leave these comments directly on GitHub for easier cross-referencing if you'd like to create a PR from the redline linked in the ballot.</div><div><br></div>Editorial notes:<br>- GitHub-flavored markdown does not support `2^159^` for exponentiation. Consider Unicode SUPERSCRIPT numerals (i.e. `2¹⁵⁹`)?<br>- GitHub-flavored markdown does not support `\ \ \ \ ` inside tables for indentation. Consider Unicode non-breaking figure spaces (i.e. `    foo`)?<br>- The `[^surname_givenname]` footnote entry needs to be followed by a colon (i.e. `[^surname_givenname]:`) to be properly linked and rendered by GitHub-flavored markdown.<br>- Use of "e.g." to mean "approximately" in "2922 days (e.g. 8 years)" is not appropriate. Consider using "approx." instead.<br>- 7.1.2.1.1 has the name "Root CA Validity", but 7.1.2.1.3 just has the name "Authority Key Identifier". Either both of these should be prefaced with "Root CA" to disambiguate them from sections regarding the same fields but for other certificate types, or neither of these should be prefaced with "Root CA" as that qualifier is implied by being under section 7.1.2.1 Root CA Certificate Profile. The same applies to many other subsection titles.<br>- In 7.1.2.2.3, the tables only differ in one row. I believe it would be beneficial to readers to make the first table apply to *all* Subordinate CA Certificates, and then follow it with a single-row table that overrides that one row for the case that the Subordinate CA is operated externally.<br>- In 7.1.2.7.6, a dash (`-`) is used to indicate that the criticality of the `subjectAltName` extension depends on other factors. However, in earlier tables for CA certificate extensions (e.g. 7.1.2.2.3), an asterisk and footnote is used to indicate that the criticality depends on other factors. These should use the same notation as each other. I personally think the best notation is simply an asterisk, with all additional context provided in the "See Section X" section.<br>- In 7.1.2.7.12, the table entry for `dnsName` uses sentences phrased "The entry MUST", but the `iPAddress` table entry uses sentences which simply start "MUST ...". These should use similar phrasing.<br>- 7.1.2.8.4 includes a note regarding DER encoding of optional fields which take their default value. It seems odd to include this under Delegated OCSP Responder Certs but not under 7.1.2.7.8 Subscriber Certificate Basic Constraints, which has the same table. Also, is there a reason that this note doesn't simply say that, in this case, the extension must have the value NULL? Why is deriving this left as an exercise for the reader?<br>- Speaking of which, 7.1.2.8.6 and 7.1.2.9.3 use very different language to describe the ocsp-nocheck and precertificate-poison extensions having the value NULL. These should use the same language as each other.<br>- The tables in 7.1.2.11.2 seem confusing. Personally, I would include tables profiling the inner `DistributionPoint` and `uniformResourceIdentifier` objects, and use non-tabulated language to describe the fact that including more than one entry in the outer `CRLDistributionPoints` and `fullName` objects is NOT RECOMMENDED.<br><br>Substantive content notes:<br>- 7.1.2.2 says that it applies when creating a cross-sign for either an existing Root CA Certificate **or** an existing Subordinate CA Certificate. However, the definition of "Cross-Certificated Subordinate CA Certificate" in Section 1.6.1 still just says that it establishes trust "between two **Root** CAs". I believe the definition should be updated to indicate that it establishes trust between any two CAs, not just between two Root CAs.<br>- I'm curious about why the nameConstraints extension, if present, MUST contain a permittedSubtree for directoryNames. I think this means that Technically Constrained can only apply to Subordinate CA Certs which conduct OV/EV issuance?<br>- 7.1.2.7.7 refers to "AuthorityInformationAccessSyntax", but the ASN.1 type declared in RFC 5280 Section 4.2.2.1 is actually "AuthorityInfoAccessSyntax". The same in 7.1.2.10.3.<br>- Section 7.1.2.7.9 says other policy identifiers "MUST be defined by the CA". What if the policy identifier is defined by a different CA, which cross-signed the issuing CA and requires this policy identifier as part of that cross-sign contract?<br>- Section 7.1.2.9 says that "two Precertificates [cannot] share the same serialNumber, unless they are byte-for-byte identical, as this would otherwise indicate that there are corresponding Certificates that share the same serialNumber". I admit that this is a bizarre corner case, but: what if an Issuing CA has *two* Technically Constrained Precertificate Signing CAs? They could each issue a Precertificate with all of the same fields except for the Issuer field and authorityKeyIdentifier extension. But the Precertificate<->Certificate transformation would wipe out those changes, indicating that both Precertificates correspond to the *same* Certificate, and thus no violation of the serialNumber uniqueness constraint has occurred. Maybe nothing needs to change here, but maybe it's worth workshopping this language to avoid this confusion.<br>- Section 7.1.2.11.2 uses different language to describe the first uniformResourceIdentifier and subsequent uniformResourceIdentifiers in a fullName. In particular, the emphasis of the "MUST be http" in the 2+ section makes it seem like HTTP is not a MUST for the first entry.<br><div><br></div><div>Aaron</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 31, 2023 at 7:52 AM Ryan Dickson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><p style="line-height:1.656;margin-top:0pt;margin-bottom:0pt">**Correction on the discussion period date format below, sorry about that**</p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Purpose of Ballot</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Over the past three years, members of the Server Certificate Working Group Validation Subcommittee have collaborated on an update to the </span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> focused on improving the clarity of Section 7 (“Certificate, CRL, and OCSP Profiles”). </span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The update: </span></p><ol style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="margin-left:11pt;list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">better aligns certificate content expectations across certificate issuers and consumers, </span></p></li><li dir="ltr" style="margin-left:11pt;list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">reduces the opportunity for confusion resulting from the absence of a more precise certificate profile specification, and </span></p></li><li dir="ltr" style="margin-left:11pt;list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">promotes more consistent and reliable implementations across the ecosystem.</span></p></li></ol><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">While most of the proposed updates focus on Section 7, changes were </span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> limited to only this section. </span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Technical discussion related to the proposed changes, along with high-level change summaries have been documented in:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="margin-left:11pt;list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">open GitHub pull requests (originally</span><a href="https://github.com/sleevi/cabforum-docs/pull/36" style="text-decoration-line:none" target="_blank"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline"> </span><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline">here</span></a><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">, and more recently</span><a href="https://github.com/cabforum/servercert/pull/373" style="text-decoration-line:none" target="_blank"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline"> </span><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline">here</span></a><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">),</span></p></li><li dir="ltr" style="margin-left:11pt;list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">several closed GitHub pull requests made against the “</span><a href="https://github.com/cabforum/servercert/tree/profiles" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline">profiles</span></a><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">” branch of the servercert GitHub repository, and</span></p></li><li dir="ltr" style="margin-left:11pt;list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">Validation Subcommittee meeting minutes (to include sessions held at Face-to-Face meetings). </span></p></li></ul><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Due to a small number of changes proposed in the ballot that is otherwise focused on clarifying existing requirements, an “all-encompassing” effective date makes these changes normative beginning 2023-09-15.</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The following motion has been proposed by Ryan Dickson of Google and endorsed by Clint Wilson of Apple and Dimitris Zacharopoulos of HARICA.</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Begins —</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 1.8.6.</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">MODIFY the Baseline Requirements as specified in the following Redline: </span><a href="https://github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..0689ba59dbad9f5d2a5269051e5e0d0d1a25f3f6" style="text-decoration-line:none" target="_blank"><span style="font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..0689ba59dbad9f5d2a5269051e5e0d0d1a25f3f6</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-family:Arial;color:rgb(14,16,26);vertical-align:baseline;white-space:pre-wrap"> </span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Ends —</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Discussion (7+ days)</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">Start time: 2023-<b>01-31</b> 15:00:00 UTC</span></p></li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">End time: Not before 2023-02-07 15:00:00 UTC</span></p></li></ul><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Vote for approval (7 days)</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">Start time: TBD</span></p></li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline">End time: TBD</span></p></li></ul></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 31, 2023 at 10:01 AM Ryan Dickson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span id="m_4176338842877005675m_8965299037823403001m_-7973384568043580210m_-1058995224230205147m_2475719541725030177gmail-docs-internal-guid-4d16fdf6-7fff-ed5c-c0b0-09e6837a3c7d"><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Purpose of Ballot</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Over the past three years, members of the Server Certificate Working Group Validation Subcommittee have collaborated on an update to the </span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> focused on improving the clarity of Section 7 (“Certificate, CRL, and OCSP Profiles”). </span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The update: </span></p><ol style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">better aligns certificate content expectations across certificate issuers and consumers, </span></p></li><li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">reduces the opportunity for confusion resulting from the absence of a more precise certificate profile specification, and </span></p></li><li dir="ltr" style="list-style-type:decimal;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">promotes more consistent and reliable implementations across the ecosystem.</span></p></li></ol><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">While most of the proposed updates focus on Section 7, changes were </span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> limited to only this section. </span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Technical discussion related to the proposed changes, along with high-level change summaries have been documented in:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">open GitHub pull requests (originally</span><a href="https://github.com/sleevi/cabforum-docs/pull/36" style="text-decoration-line:none" target="_blank"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> </span><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">, and more recently</span><a href="https://github.com/cabforum/servercert/pull/373" style="text-decoration-line:none" target="_blank"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> </span><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">),</span></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">several closed GitHub pull requests made against the “</span><a href="https://github.com/cabforum/servercert/tree/profiles" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">profiles</span></a><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">” branch of the servercert GitHub repository, and</span></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Validation Subcommittee meeting minutes (to include sessions held at Face-to-Face meetings). </span></p></li></ul><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Due to a small number of changes proposed in the ballot that is otherwise focused on clarifying existing requirements, an “all-encompassing” effective date makes these changes normative beginning 2023-09-15.</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The following motion has been proposed by Ryan Dickson of Google and endorsed by Clint Wilson of Apple and Dimitris Zacharopoulos of HARICA.</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Begins —</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 1.8.6.</span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">MODIFY the Baseline Requirements as specified in the following Redline: </span><a href="https://github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..0689ba59dbad9f5d2a5269051e5e0d0d1a25f3f6" style="text-decoration-line:none" target="_blank"><span style="font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/cabforum/servercert/compare/2c63814fa7f9f7c477c74a6bfbeb57e0fcc5dd5b..0689ba59dbad9f5d2a5269051e5e0d0d1a25f3f6</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-family:Arial;color:rgb(14,16,26);vertical-align:baseline;white-space:pre-wrap"> </span></p><br><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Ends —</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Discussion (7+ days)</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Start time: 2023-31-01 15:00:00 UTC</span></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">End time: Not before 2023-02-07 15:00:00 UTC</span></p></li></ul><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Vote for approval (7 days)</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Start time: TBD</span></p></li><li dir="ltr" style="list-style-type:disc;font-family:Arial;color:rgb(14,16,26);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">End time: TBD</span></p></li></ul></span></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>
</blockquote></div>