<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Apple votes YES on Ballot SC-063.<br><div><br><blockquote type="cite"><div>On Jul 6, 2023, at 8:59 AM, Ryan Dickson via Servercert-wg <servercert-wg@cabforum.org> wrote:</div><br class="Apple-interchange-newline"><div><div dir="ltr"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-weight: 700;">Purpose of Ballot SC-063</span></div><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">This Ballot proposes updates to the </span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-style: italic; vertical-align: baseline;">Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> related to making Online Certificate Status Protocol (OCSP) services </span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; text-decoration: underline; vertical-align: baseline;">optional</span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> for CAs. This proposal does </span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; text-decoration: underline; vertical-align: baseline;">not</span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> prohibit or otherwise restrict CAs who choose to continue supporting OCSP from doing so. If CAs continue supporting OCSP, the </span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; text-decoration: underline; vertical-align: baseline;">same</span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> requirements apply as they exist today.</span></div><br style="font-family:arial,sans-serif"><p dir="ltr" style="font-family:arial,sans-serif;line-height:1.2;margin-top:0pt;margin-bottom:10pt"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Additionally, this proposal introduces changes related to CRL requirements including:</span></p><ul style="font-family:arial,sans-serif;margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">CRLs must conform with the proposed profile.</span></div></li><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">CAs must generate and publish either:</span></div></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: circle; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">a full and complete, or </span></div></li><li dir="ltr" style="list-style-type: circle; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">a set of partitioned CRLs (sometimes called “sharded” CRLs), that when aggregated, represent the equivalent of a full and complete CRL.</span></div></li></ul><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">CAs issuing Subscriber Certificates must update and publish a new CRL…</span></div></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: circle; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">within twenty-four (24) hours after recording a Certificate as revoked; and </span></div></li><li dir="ltr" style="list-style-type: circle; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Otherwise: </span></div></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: square; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">at least every seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”), or</span></div></li><li dir="ltr" style="list-style-type: square; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">at least every four (4) days in all other cases.</span></div></li></ul></ul></ul><br style="font-family:arial,sans-serif"><p dir="ltr" style="font-family:arial,sans-serif;line-height:1.2;margin-top:0pt;margin-bottom:10pt"><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Finally, the proposal revisits the concept of a “short-lived” certificate, introduced in </span><a href="https://cabforum.org/2015/11/11/ballot-153-short-lived-certificates/" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">Ballot 153</span></a><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">. As described in this ballot, short-lived certificates (sometimes called “short-term certificates” in ETSI </span><a href="https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">specifications</span></a><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">) are:</span></p><ul style="font-family:arial,sans-serif;margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">optional</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">. CAs will </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">not</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> be required to issue short-lived certificates. For TLS certificates that do not meet the definition of a short-lived certificate introduced in this proposed update, the current maximum validity period of 398 days remains applicable. </span></div></li></ul><ul style="font-family:arial,sans-serif;margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">constrained to an initial maximum validity period of ten (10) days.</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> The proposal stipulates that short-lived certificates issued on or after 15 March 2026 must not have a Validity Period greater than seven (7) days.</span></div></li></ul><ul style="font-family:arial,sans-serif;margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">not required to contain a CRLDP or OCSP pointer and are not required to be revoked</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">. The primary mechanism of certificate invalidation for these short-lived certificates would be through certificate expiry. CAs may </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">optionally</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> revoke short-lived certificates. The initial maximum certificate validity is aligned with the existing maximum values for CRL “nextUpdate” and OCSP response validity allowed by the BRs today. </span></div></li></ul><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Additional background, justification, and considerations are outlined </span><a href="https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">here</span></a><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.</span></div><br style="font-family:arial,sans-serif"><p dir="ltr" style="font-family:arial,sans-serif;line-height:1.2;margin-top:0pt;margin-bottom:10pt"><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; text-decoration: underline; vertical-align: baseline;">Proposal Revision History:</span></p><ul style="font-family:arial,sans-serif;margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The set of updates resulting from the first round of discussion are presented</span><a href="https://github.com/ryancdickson/staging/pull/3/files" style="text-decoration-line:none" target="_blank"><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> </span><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">here</span></a><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">.</span></div></li><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The set of updates resulting from the second round of discussion are presented </span><a href="https://github.com/ryancdickson/staging/pull/5/files" style="text-decoration-line:none" target="_blank"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">here</span></a><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">.</span></div></li><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The set of updates resulting from the third round of discussion are presented </span><a href="https://github.com/ryancdickson/staging/pull/7/files" style="text-decoration-line:none" target="_blank"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">here</span></a><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">. </span></div></li></ul><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by </span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Kiran Tummala</span><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> of Microsoft and </span><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Tim Callan</span><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> of Sectigo.</span></div><br style="font-family:arial,sans-serif"><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">— Motion Begins —</span></div><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span></div><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">MODIFY the Baseline Requirements as specified in the following Redline: </span></div><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..b8a0453e59ff342779d5083f2f1f8b8b5930a66a" style="text-decoration-line:none" target="_blank"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..b8a0453e59ff342779d5083f2f1f8b8b5930a66a</span></a><span style="background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> </span></div><br style="font-family:arial,sans-serif"><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">— Motion Ends —</span></div><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></div><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Discussion (13+ days)</span></div><ul style="font-family:arial,sans-serif;margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap; margin-left: 11pt;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Start time: 2023-06-22 20:30:00 UTC</span></div></li><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap; margin-left: 11pt;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">End time: 2023-07-06 15:59:59 UTC</span></div></li></ul><br style="font-family:arial,sans-serif"><div style="font-family: arial, sans-serif; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Vote for approval (7 days)</span></div><ul style="font-family:arial,sans-serif;margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap; margin-left: 11pt;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Start time: 2023-07-06 16:00:00 UTC</span></div></li><li dir="ltr" style="list-style-type: disc; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre-wrap; margin-left: 11pt;"><div style="line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">End time: 2023-07-13 16:00:00 UTC</span></div></li></ul></div>
_______________________________________________<br>Servercert-wg mailing list<br>Servercert-wg@cabforum.org<br>https://lists.cabforum.org/mailman/listinfo/servercert-wg<br></div></blockquote></div><br></body></html>