<div dir="ltr"><div>I have three questions about the implications of changes proposed by this ballot:</div><div><br></div><div>1. Section 9.6.1 adds language that imposes or makes the following requirements explicit:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">i. the Subscriber has been provided with the most current version of the Subscriber Agreement;<br>ii. the applicable Subscriber Agreement is the Subscriber Agreement that was accepted when the Certificate was issued; and</blockquote><div><br></div><div>I am aware that ACME RFC 8555 section 7.3.3 provides a mechanism for updating the Subscriber Agreement ("Terms of Service" in the RFC). The language above seems to imply that this mechanism must be used whenever a CA changes their Subscriber Agreement. Has this mechanism been deployed and used at scale?</div><div><br></div><div>SIde note here that "accepted when the Certificate was issued" could be misconstrued to conflict with the statement in 9.6.3 that "a single Subscriber Agreement MAY be used to cover multiple future certificate requests and the resulting Certificates". I'd suggest changing "accepted" to "in force".</div><div><br></div><div>2. Section 9.6.3 states that ".The CA SHALL implement a process to ensure that ... if the CA and Subscriber are the same entity or are Affiliated, that the Applicant has committed to comply with the Subscriber Agreement." How would an auditor confirm this? <br></div><div><br></div><div>3. Finally, I'm wondering if some CAs could find themselves out of compliance when these changes go into effect because they rely on Terms of Use or need to update their Subscriber Agreement and/or CP/CPS? I don't have a strong opinion here, but a defined effective date for these changes might make sense.<br></div><div><br></div><div>Thanks,</div><div><br></div><div>Wayne<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 11, 2024 at 5:49 PM Dustin Hollenback via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-US">
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal" style="background:white">
<b><span style="font-family:"Arial",sans-serif;color:black">Purpose of Ballot SC-071</span></b><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">This ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates related to Subscriber Agreements and Terms of Use. It combines
the requirements for both into only the Subscriber Agreement and clarifies the requirement language. It removes the requirement and reference to "Terms of Use".</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">Notes:</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• This removes any ambiguity to ensure that there is no requirement that the Subscriber Agreement be legally enforceable when the CA and Subscriber are affiliated.</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• This updates definitions for “Subscriber” and “Subscriber Agreement” and removes the definition for “Terms of Use” as these separate concepts are creating unnecessary work
for CAs and Subscribers without adding any value when separated.</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• While drafting this ballot, there were concerns raised related to “Applicant” and “Applicant Representative”. These definitions were intentionally not modified in this
ballot as they will require more discussion after we implement the change to Subscriber Agreement and removal of Terms of Use.</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• As observed with other ballots in the past, minor administrative updates must be made to the proposed ballot text before publication such that the appropriate Version #
and Change History are accurately represented (e.g., to indicate these changes will be represented in Version 2.0.3).</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• This ballot does not modify the “Guidelines for the Issuance and Management of Extended Validation Certificates”. More work will be made to that document after changes
are finalized in this one.</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">The following motion has been proposed by Dustin Hollenback of Microsoft, and endorsed by Tadahiko Ito of SECOM and Ben Wilson of Mozilla.</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<b><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">— Motion Begins —</span></b><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.2.</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">MODIFY the Baseline Requirements as specified in the following Redline:</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-family:"Arial",sans-serif;color:black">Here is a link to the GitHub redline:</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-family:"Arial",sans-serif;color:black"><a href="https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...1a33a904c9f7d8c9d42289f2f458358551d" target="_blank">https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...1a33a904c9f7d8c9d42289f2f458358551db9f2f</a></span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-family:"MS PGothic",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<b><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">— Motion Ends —</span></b><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<b><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">Discussion (7+ days)</span></b><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• Start time: 2024-04-12 01:00:00 UTC</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• End time: 2024-04-20 01:00:00 UTC</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<b><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">Vote for approval (7 days)</span></b><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• Start time: XXXX-XX-XX 22:00:00 UTC</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">• End time: XXXX-XX-XX 22:00:00 UTC</span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="background:white">
<span style="font-size:11pt;font-family:"HelveticaNeue",serif;color:black"> </span><span style="font-family:"HelveticaNeue",serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div></blockquote></div>