<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:112481071;
mso-list-template-ids:401495454;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:765344027;
mso-list-template-ids:322179674;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:886062180;
mso-list-type:hybrid;
mso-list-template-ids:434112370 -209557372 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;
mso-fareast-font-family:"Yu Gothic";
mso-bidi-font-family:Calibri;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1632978946;
mso-list-template-ids:1611947024;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:1827938465;
mso-list-template-ids:-800060646;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Aaron,<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-list:l2 level1 lfo1'>2. The prohibition on "indirect CRLs".<o:p></o:p></li></ul><p class=MsoNormal style='margin-left:.25in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in'>Every CA certificate in the WebPKI MUST assert the cRLSign key usage bit, so that CA is also a CRL issuer (RFC 5280, section 4.1.2.6 says “If the subject is a CRL issuer (e.g., the key usage extension, as discussed in Section 4.2.1.3, is present and the value of cRLSign is TRUE)”). Additionally, I don’t believe there’s currently any mechanism in use in the WebPKI to distribute CRL issuer certificates, so I thought it would be reasonable to propose explicitly prohibiting indirect CRLs (why allow something that cannot be consumed by commonly used RP software?).<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in'><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='margin-left:0in;mso-list:l2 level1 lfo1'>But Let's Encrypt has been considering the possibility of using delegated signers in order to keep separate sets of issuing intermediates in each secure site, but still have every site capable of providing revocation information on behalf of all issuing intermediates.<o:p></o:p></li></ul><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in'>Would the root CA issue a CRL issuer certificate to issue CRLs on behalf of one or more intermediate CAs? Trying to envision how this would work without having to fetch a bunch of certificates to validate the CRL back to a trust anchor.<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in'>Thanks,<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in'>Corey<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in'><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Servercert-wg <servercert-wg-bounces@cabforum.org> <b>On Behalf Of </b>Aaron Gable via Servercert-wg<br><b>Sent:</b> Thursday, April 27, 2023 1:58 PM<br><b>To:</b> Ryan Dickson <ryandickson@google.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject:</b> Re: [Servercert-wg] Discussion Period Begins - Ballot SC-063: “Make OCSP Optional and Incentivize Automation”<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hi Ryan,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks so much for pushing this ballot forward. I'm looking forward to this set of changes.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I've left a few editorial comments on the GitHub PR itself (<a href="https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/pull/414___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OjY5ZjM6ZjRhNGQ2MTliM2E2Yzc0MmI0ZmE5NGVjZWUxMDY3ZDkyY2Q5NDhiMTU5Nzg0Njc5ZDUxZGY4NzYxNzIwOGM3ODpoOkY" title="Protected by Avanan: https://github.com/cabforum/servercert/pull/414">https://github.com/cabforum/servercert/pull/414</a>), but I figured for my more substantive discussion items, it would be better to do those on-list.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>1. What does it mean to "support on-line revocation checking via OCSP"?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In particular, what if a given certificate does not contain an OCSP URL, but someone could manually construct an OCSP request for that certificate to the CA's *previous* OCSP URL, and get a response -- does that count as "support"? This is relevant due to the need to transition from supporting OCSP to not supporting OCSP. A CA cannot simply stop including OCSP URLs in their certs and turn off their OCSP service at the same time; the service needs to continue running until after the last cert with its URL embedded expires. If that service were incidentally capable of providing OCSP responses even for certificates that do not embed its URL, what requirements would apply to it?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>2. The prohibition on "indirect CRLs".<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>While I totally agree that we should not have CA Foo issuing CRLs which cover certificates issued by CA Bar, the prohibition on indirect CRLs seems to have a negative side-effect: it means that CAs cannot use "delegated CRL issuers". This may not be a real loss; I believe that CAs have generally found that Delegated OCSP Signers cause more trouble than they're worth, and the same is likely true for Delegated CRL Issuers. But Let's Encrypt has been considering the possibility of using delegated signers in order to keep separate sets of issuing intermediates in each secure site, but still have every site capable of providing revocation information on behalf of all issuing intermediates.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I don't recall discussing this particular provision in previous discussion (and I can't find it in minutes for meetings I missed), so can we hear a little bit more about the motivations behind this requirement?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>3. Required inclusion of CRL Distribution Point URLs.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In this morning's meeting, we discussed the potential costs of requiring CAs to update their CRLs daily. Let's Encrypt already re-issued our CRLs every few hours, so this does not concern me.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>However, those CRLs are only discoverable via CCADB. No HTTP client or meddling router can download them, because they simply aren't aware that they exist. As soon as the CRL URLs are included directly in end-entity certificates, I'm certain that a number of certificate consumers will begin executing old codepaths and downloading them directly.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>During normal operation, Let's Encrypt's CRLs total to (order-of-magnitude) 50MB every issuance cycle. They're updated once every few hours, and downloaded on a similar cadence. That's trivially sustainable, and significantly cheaper than serving OCSP. But if hundreds of thousands of clients begin downloading those CRLs directly, it's going to be a very different story.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So I'd love to hear from other CAs a) how many certificates you have which embed a CRLDP, and b) how many requests-per-second you receive for that CRLDP as a result.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks again!<o:p></o:p></p></div><div><p class=MsoNormal>Aaron<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Thu, Apr 27, 2023 at 6:30 AM Ryan Dickson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif;color:black'>Purpose of Ballot SC-063:</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>This Ballot proposes updates to the <i>Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</i> related to making Online Certificate Status Protocol (OCSP) services optional for CAs. This proposal does not prohibit or otherwise restrict CAs who choose to continue supporting OCSP from doing so. If CAs continue supporting OCSP, the same requirements apply as they exist today.</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:0in'><span style='font-family:"Arial",sans-serif;color:black'>Additionally, this proposal introduces changes related to CRL requirements to include:</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;mso-list:l4 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;white-space:pre-wrap'><span style='font-family:"Arial",sans-serif'>Establishing a detailed CRL profile, consistent with the certificate profiles introduced in Version 2.0.0 of the Baseline Requirements.<o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-list:l4 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;white-space:pre-wrap'><span style='font-family:"Arial",sans-serif'>CAs MUST generate and publish either:<o:p></o:p></span></li></ul><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;mso-list:l4 level2 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;white-space:pre-wrap'><span style='font-family:"Arial",sans-serif'>a full and complete CRL; OR <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-list:l4 level2 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;white-space:pre-wrap'><span style='font-family:"Arial",sans-serif'>partitioned CRLs (sometimes called “sharded” CRLs), that when aggregated, represent the equivalent of a full and complete CRL.<o:p></o:p></span></li></ul></ul><ul style='margin-top:0in' type=disc><li class=MsoNormal style='color:black;mso-list:l4 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;white-space:pre-wrap'><span style='font-family:"Arial",sans-serif'>CAs MUST include the corresponding HTTP URI for either the full and complete <i>or</i> partitioned/sharded CRL in the CRL Distribution Point extension of subscriber certificates.<o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-list:l4 level1 lfo2;vertical-align:baseline;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;white-space:pre-wrap'><span style='font-family:"Arial",sans-serif'>CRLs MUST be updated and reissued once daily.<o:p></o:p></span></li></ul><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>Finally, the proposal revisits the concept of a “short-lived” certificate, introduced in </span><a href="https://url.avanan.click/v2/___https:/cabforum.org/2015/11/11/ballot-153-short-lived-certificates/___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OjNkY2E6NTA1ZDMwMDhkODI4ZTFmMGQ0OTU5NGRhMmRmYjI5ODNmMjk2Yzc0N2JiYWY4MWI2YTk1MDkxNjBmNmFlOTQ1MzpoOkY" target="_blank" title="Protected by Avanan: https://cabforum.org/2015/11/11/ballot-153-short-lived-certificates/"><span style='font-family:"Arial",sans-serif'>Ballot 153</span></a><span style='font-family:"Arial",sans-serif;color:black'>. As described in this ballot, short-lived certificates (sometimes called “short-term certificates” in ETSI </span><a href="https://url.avanan.click/v2/___https:/www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OmQ3Mzc6MzA0ODNmMWMwMzk4NTUyOGIxMGMzNjFhNGEzOGE0Njg3MThjMjI0MzRiY2I3NDY3MWZmZmM4ZGYyZjdmNTM1YTpoOkY" target="_blank" title="Protected by Avanan: https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf"><span style='font-family:"Arial",sans-serif;color:#4A6EE0'>specifications</span></a><span style='font-family:"Arial",sans-serif;color:black'>) are:</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3'><b><span style='font-family:"Arial",sans-serif;color:black'>optional</span></b><span style='font-family:"Arial",sans-serif;color:black'>. CAs will not be required to issue short-lived certificates. For TLS certificates that do not meet the definition of a short-lived certificate introduced in this proposed update, the current maximum validity period of 398 days remains applicable. </span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3'><b><span style='font-family:"Arial",sans-serif'>constrained to an initial maximum validity period of ten (10) days.</span></b><span style='font-family:"Arial",sans-serif;color:black'> The proposal stipulates that short-lived certificates issued on or after 15 March 2026 must not have a Validity Period greater than seven (7) days.</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3'><b><span style='font-family:"Arial",sans-serif;color:black'>not required to contain a CRLDP or OCSP pointer and are not required to be revoked</span></b><span style='font-family:"Arial",sans-serif;color:black'>. The primary mechanism of certificate invalidation for these short-lived certificates would be through certificate expiry. CAs may optionally revoke short-lived certificates. The initial maximum certificate validity is aligned with the existing maximum values for CRL “nextUpdate” and OCSP response validity allowed by the BRs today. </span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></li></ul><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>Additional background, justification, and considerations are outlined </span><a href="https://url.avanan.click/v2/___https:/docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OjUzMTU6NmNmOTdmMjBjNjZlYmQ4NzI0OTQzZGUxZWM2ZGQ1YTQ4NGM5YzI4M2M3ZGI0ODQzYWNjN2ZhMzJkNmEyNzQ3ZjpoOkY" target="_blank" title="Protected by Avanan: https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit"><span style='font-family:"Arial",sans-serif;color:#4A6EE0'>here</span></a><span style='font-family:"Arial",sans-serif;color:black'>.</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by Kiran Tummala of Microsoft and Tim Callan of Sectigo.</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif;color:black'>— Motion Begins —</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>MODIFY the Baseline Requirements as specified in the following Redline: </span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><a href="https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OmJhY2Y6MjFhY2ZkNWE1ZjQ3OTAyMjIyM2ZjNTUzZjI4MjY0YTA2NjliY2Y3ZDQxMjdmOTVkZjFhMzVlNzI5YTY0MmNiMDpoOkY" target="_blank" title="Protected by Avanan: https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9</a> <o:p></o:p></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif;color:black'>— Motion Ends —</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif;color:black'>This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif;color:black'>Discussion (14+ days)</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:47.0pt;text-indent:-.25in;mso-list:l3 level1 lfo4;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Arial",sans-serif;color:black'>Start time: 2023-04-27 13:30:00 UTC<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:47.0pt;text-indent:-.25in;mso-list:l3 level1 lfo4;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Arial",sans-serif;color:black'>End time: Not before 2023-05-11 13:30:00 UTC<o:p></o:p></span></p><p style='margin:0in'><span style='font-family:"Arial",sans-serif'><o:p> </o:p></span></p><p style='margin:0in'><b><span style='font-family:"Arial",sans-serif;color:black'>Vote for approval (7 days)</span></b><span style='font-family:"Arial",sans-serif'><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:47.0pt;text-indent:-.25in;mso-list:l0 level1 lfo5;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Arial",sans-serif;color:black'>Start time: TBD<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:47.0pt;text-indent:-.25in;mso-list:l0 level1 lfo5;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Arial",sans-serif;color:black'>End time: TBD<o:p></o:p></span></p></div><p class=MsoNormal>_______________________________________________<br>Servercert-wg mailing list<br><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br><a href="https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/servercert-wg___.YXAzOmRpZ2ljZXJ0OmE6bzo2MmQwNTQyZjIwMTcxNTFhMDI0MDlhYTM5MDJkNzJkYzo2OmY0MDk6MTIwZDdhNjU5Y2FiNTEzZjFiYmVmM2NkZDlmMzA0ZTU0OGNiYjdkNDAzMzE2NmUzYzMzMjMwOGM1MWE5MDAxZDpoOkY" target="_blank" title="Protected by Avanan: https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></p></blockquote></div></div></body></html>