<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I don’t have any particular concern with the change itself, to be clear,
 but the motivation behind this — and the abruptness of the introduction
 of the topic — remain opaque to me.</blockquote><div><br></div><div>It appears to me that this bug is the motivation for this ballot: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1883843">https://bugzilla.mozilla.org/show_bug.cgi?id=1883843</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 15, 2024 at 9:58 AM Clint Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hi Paul,<div><br></div><div>There are a lot of ways that the EVGs differ from the TBRs; that’s basically the point of them, as I understand it. Specifically it’s within the profiles that most non-process-oriented differences can be found between EV, OV, IV, and DV TLS certificates. Are all of these differences issues which should be addressed by the WG to bring EV TLS certificates more in line with the leaner profiles found in the TBRs?</div><div><br></div><div>I don’t see how this is a genuine misalignment between the TBRs and the EVGs. I could possibly see a misalignment between RFC 5280 and the EVGs, but even there it’s very intentional that allowance is given such that individual use-cases can successfully be addressed without violating the RFC.<div><br></div><div><div style="color:rgb(0,0,0)">From <a href="https://datatracker.ietf.org/doc/html/rfc2119#section-4:" target="_blank">https://datatracker.ietf.org/doc/html/rfc2119#section-4:</a> (emphasis mine)</div><div style="color:rgb(0,0,0)">"SHOULD NOT   This phrase, or the phrase "NOT RECOMMENDED" mean that<div>   <b>there may exist valid reasons</b> in particular circumstances when the</div><div>   particular behavior is acceptable or even useful, but the full</div><div>   implications should be understood and the case carefully weighed</div><div>   before implementing any behavior described with this label.”</div><div><br></div><div>From <a href="https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4" target="_blank">https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4</a>:</div><div>"To promote interoperability, this profile RECOMMENDS that policy</div><div>   information terms consist of only an OID.  Where an OID alone is</div><div>   insufficient, this profile strongly recommends that the use of</div><div>   qualifiers be limited to those identified in this section.”</div></div><div><br></div><div>In both cases, it’s clear to me, when encountering a SHOULD, SHOULD NOT, RECOMMENDS, or NOT RECOMMENDED that the expectation is for CAs to individually assess what is the most appropriate action to take. That doesn’t sound like a misalignment, so much as an acknowledgement of potential nuance and the need for additional consideration. As you say, they shouldn’t "unless they have a good reason to" — such as the EV Guidelines explicitly requiring policyQualifiers.</div><div><br></div><div>I don’t have any particular concern with the change itself, to be clear, but the motivation behind this — and the abruptness of the introduction of the topic — remain opaque to me.</div><div><br></div><div>Thank you,</div><div>-Clint</div><div><br><blockquote type="cite"><div>On Mar 15, 2024, at 9:09 AM, Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com" target="_blank">Paul.vanBrouwershaven@entrust.com</a>> wrote:</div><br><div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">Hi Clint,</div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">If the BRs specified MAY and the EVGs MUST you can put it in both and thus have profile alignment. After this changed from MAY to NOT RECOMMENDED we end up with a conflicting requirement, while allowed, its expected that CAs adhere to a NOT RECOMMENDED unless they have a good reason to do so.</div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">While it's possible to implement two different policies this does creates a clear misalignment.</div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">Paul</div><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt"><br></div><hr style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;display:inline-block;width:767.328px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline"></span><span style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt"><b>From:</b> Clint Wilson<br><b>Sent:</b> Friday, March 15, 2024 17:00<br><b>To:</b> Paul van Brouwershaven; ServerCert CA/BF<br><b>Subject:</b> [EXTERNAL] Re: [Servercert-wg] [Discussion Period Begins]: SC-72 - Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED</span><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline"></span><div style="font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Hi,</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Could the ballot author and endorsers please provide some additional explanation and context surrounding this ballot? As far as I can recall, this topic hasn’t been discussed since SC-062, so it’s rather coming out of nowhere as a ballot proposal (which is, of course, totally fine, but also still abrupt/confusing). Why is this difference between the TBRs and the EVGs necessary/valuable for the WG to address at the moment?</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">You indicate that this is a discrepancy introduced by Ballot SC-062, but I don’t see how that’s the case. Before SC-062, the TBRs specified policyQualifiers as Optional and after as NOT RECOMMENDED. Neither of these match the MUST present in the EVGs and both of these are compatible/non-conflicting with the MUST present in the EVGs.</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Thanks,</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">-Clint</div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><blockquote style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div>On Mar 15, 2024, at 3:01 AM, Paul van Brouwershaven via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:</div><br><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">This ballot updates the TLS Extended Validation Guidelines (EVGs) by removing the exceptions to<code>policyQualifiers</code>​ in section 9.7, to align them with the Baseline Requirements (BRs).As result, this ballot changes<span> </span><code>policyQualifiers</code>​ from<span> </span><code>MUST</code>​ to<span> </span><code>NOT RECOMMENDED</code>​ as stated in the TLS Baseline Requirements, resolving a discrepancy introduced by<a href="https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/" id="m_-8188833827234568029OWAe5a67835-946e-0a88-8fc0-ff52757f28d0" title="https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/" target="_blank">Ballot SC-62v2</a> between section<span> </span><a href="https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71279-subscriber-certificate-certificate-policies" id="m_-8188833827234568029OWA51f2e7c6-c8e5-adb2-cc71-4d9b546f7171" title="https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71279-subscriber-certificate-certificate-policies" target="_blank">7.1.2.7.9 Subscriber Certificate Policies</a> of the BRs and the<span> </span><a href="https://cabforum.org/working-groups/server/extended-validation/guidelines/#97-additional-technical-requirements-for-ev-certificates" id="m_-8188833827234568029OWA3c2e53da-5080-3903-dd9c-546c67e02210" title="https://cabforum.org/working-groups/server/extended-validation/guidelines/#97-additional-technical-requirements-for-ev-certificates" target="_blank">Additional Technical Requirements for EV Certificates</a> in the EVGs.</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">The following motion has been proposed by Paul van Brouwershaven (Entrust) and endorsed by Dimitris Zacharopoulos (HARICA) and Iñigo Barreira (Sectigo).</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">You can view and comment on the GitHub pull request representing this ballot here:<a href="https://github.com/cabforum/servercert/pull/490" id="m_-8188833827234568029OWA4e6077f1-fd14-9726-f234-d4030b3b8240" target="_blank">https://github.com/cabforum/servercert/pull/490</a> </div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">--- Motion Begins ---</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">This ballot modifies the “Guidelines for the Issuance and Management of Extended Validation Certificates” (“EV Guidelines”) as follows, based on version 1.8.1:</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">MODIFY the Extended Validation Guidelines as specified in the following redline:<span> </span><a href="https://github.com/cabforum/servercert/compare/8e7fc7d5cac0cc27c44fe2aa88cf45f5606f4b94...7b9bb1dbfd41b1d0459b8a985ed629ad841ce122" id="m_-8188833827234568029OWA78e56738-cd7f-1b91-0a5f-e85b89c3cf91" target="_blank">https://github.com/cabforum/servercert/compare/8e7fc7d5cac0cc27c44fe2aa88cf45f5606f4b94...7b9bb1dbfd41b1d0459b8a985ed629ad841ce122</a> </div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">--- Motion Ends ---</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">Discussion (at least 7 days):</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">- Start: 2024-03-15 10:00 UTC</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">- End no earlier than 2024-03-22 10:00 UTC</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">Vote for approval (7 days):</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">- Start: TBD</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt">- End: TBD</div><div style="text-align:left;text-indent:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt"><br></div><span style="font-family:Helvetica;font-size:12px"><i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.<span> </span><u>Please notify Entrust immediately and delete the message from your system.</u></i> _______________________________________________</span><br><span style="font-family:Helvetica;font-size:12px">Servercert-wg mailing list</span><br><span style="font-family:Helvetica;font-size:12px"><a href="mailto:Servercert-wg@cabforum.org" id="m_-8188833827234568029OWA080c6599-f91e-c7aa-ab6d-5c7e3480ce77" style="text-align:left" target="_blank">Servercert-wg@cabforum.org</a></span><br><span style="font-family:Helvetica;font-size:12px"><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" id="m_-8188833827234568029OWA56a79179-05e0-e1b3-590f-45eaf15b8d61" style="text-align:left" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></blockquote></div></blockquote></div><br></div></div></div>_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>