<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Antti,<br>
<br>
The ballot number seems to be ok.<br>
<br>
Check out
<a class="moz-txt-link-freetext" href="https://wiki.cabforum.org/books/server-certificate-wg/page/scwg-ballots-wuG">https://wiki.cabforum.org/books/server-certificate-wg/page/scwg-ballots-wuG</a><br>
<br>
<img src="cid:part1.S1abyWkb.1H2unP50@harica.gr" alt=""><br>
<br>
It looks like Ben and Dustin need to get a new number and add a row
to the corresponding table.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 19/3/2024 7:19 π.μ., Backman, Antti
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018e5526cb42-2a304c07-baa8-4bea-87a2-48e2633b331f-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Hi Chris<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Could
there be a numbering clash with this ballot and the one
being worked on by Ben Wilson?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">“[Servercert-wg]
Draft Ballot SC-067: Applicant, Subscriber and Subscriber
Agreements - Feedback r”<br>
<br>
As I am not completely sure how ballot numbering should work
out, can the numbers be recycled or how that pans out?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">//Antti</span><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="color:black">From: </span></b><span
style="color:black">Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a> on behalf
of Chris Clements via Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Date: </b>Monday, 18. March 2024 at 17.32<br>
<b>To: </b>CA/B Forum Server Certificate WG Public
Discussion List <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject: </b>[Servercert-wg] Discussion Period
Begins - Ballot SC-067 V1: "Require domain validation
and CAA checks to be performed from multiple Network
Perspectives”<o:p></o:p></span></p>
</div>
<div>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Purpose
of Ballot SC-067</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">This
Ballot proposes updates to the <i>Baseline
Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates</i> (i.e.,
TLS BRs) related to “Multi-Perspective Issuance
Corroboration” (“MPIC”).</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Background</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- MPIC
refers to performing domain validation and CAA checks
from multiple Network Perspectives before certificate
issuance, as described within the Ballot for the
applicable validation methods in TLS BR Sections
3.2.2.4 and 3.2.2.5.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- Not all
methods described in TLS BR Sections 3.2.2.4 and
3.2.2.5 will require using MPIC.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- This
work was most recently motivated by research presented
at Face-to-Face 58 [1] by Princeton University, but
has been discussed for years prior as well.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- The
goal of this proposal is to make it more difficult for
adversaries to successfully launch equally-specific
prefix attacks against the domain validation processes
described in the TLS BRs.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Additional background information can be found in an
update shared at Face-to-Face 60 [2].</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Benefits
of Adoption</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- Recent
publicly-documented attacks have used BGP hijacks to
fool domain control validation and obtain malicious
certificates, which led to the impersonation of HTTPS
websites [3][</span><span
style="font-family:"Arial",sans-serif;color:black">4</span><span
style="font-family:"Arial",sans-serif;color:#0E101A">].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- Routing
security defenses (e.g., RPKI) can mitigate the risk
of global BGP attacks, but localized, equally-specific
BGP attacks still pose a significant threat to the Web
PKI [5][6].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Corroborating domain control validation checks from
multiple network perspectives (i.e., MPIC) spread
across the Internet substantially reduces the threat
posed by equally-specific BGP attacks, ensuring the
integrity of domain validation and issuance decisions
[5][7][8].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Existing deployments of MPIC at the scale of millions
of certificates a day demonstrate the feasibility of
this technique at Internet scale [7][9].</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Intellectual
Property (IP) Disclosure</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- While
not a Server Certificate Working Group Member,
researchers from Princeton University presented at
Face-to-Face 58, provided academic expertise, and
highlighted publicly-available peer-reviewed research
to support Members in drafting this ballot.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- The
Princeton University researchers indicate that they
have not filed for any patents relating to their MPIC
work and do not plan to do so in the future.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Princeton University has indicated that it is unable
to agree to the CA/Browser Forum IPR agreement because
it could encumber inventions invented by researchers
not involved in the development of MPIC or with the
CA/B Forum.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Princeton University has instead provided the attached
IPR statement. Pursuant to the IPR statement,
Princeton University has granted a worldwide royalty
free license to the intellectual property in MPIC
developed by the researchers and has made
representations regarding its lack of knowledge of any
other Princeton intellectual property needed to
implement MPIC.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- For
clarity, Princeton University’s IPR statement is NOT
intended to replace the Forum’s IPR agreement or allow
Princeton to participate in the Forum in any capacity.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- Members
seeking legal advice regarding this ballot should
consult their own counsel.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Proposal
Revision History</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Pre-Ballot Release #1 (work team artifacts and broader
Validation Subcommittee collaboration) [10]</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Pre-Ballot Release #2 [11]</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Previous
versions of this Ballot</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- N/A,
this is the first discussion period.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">References</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[1] </span><a
href="https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf</span></a><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[2] </span><a
href="https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[3] </span><a
href="https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[4] </span><a
href="https://www.coinbase.com/blog/celer-bridge-incident-analysis"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.coinbase.com/blog/celer-bridge-incident-analysis</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[5] </span><a
href="https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[6] </span><a
href="https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[7] </span><a
href="https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[8] </span><a
href="https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[9] </span><a
href="https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[10] </span><a
href="https://github.com/ryancdickson/staging/pull/6"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/ryancdickson/staging/pull/6</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[11] </span><a
href="https://github.com/ryancdickson/staging/pull/8"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/ryancdickson/staging/pull/8</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">The
following motion has been proposed by Chris Clements
and Ryan Dickson of Google (Chrome Root Program) and
endorsed by Aaron Gable (ISRG / Let’s Encrypt) and
Wayne Thayer (Fastly). </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">— Motion
Begins —</span></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">This ballot
modifies the “Baseline Requirements for the Issuance
and Management of Publicly-Trusted TLS Server
Certificates” (“Baseline Requirements”), based on
Version 2.0.2.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">MODIFY the
Baseline Requirements as specified in the following
Redline:</span><o:p></o:p></p>
<p style="margin:0cm"><a
href="https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35..6d10abda8980c6eb941987d3fc26e753e62858c0"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35..6d10abda8980c6eb941987d3fc26e753e62858c0</span></a><span
style="font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">— Motion
Ends —</span></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">This ballot
proposes a Final Maintenance Guideline. The procedure
for approval of this ballot is as follows:</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">Discussion
(at least 21 days)</span></b><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- Start:
2024-03-18 15:30:00 UTC</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- End no
earlier than: 2024-04-07 15:30:00 UTC</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">Vote for
approval (7 days)</span></b><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- Start:
TBD</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- End: TBD</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>