<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 10/5/2024 6:52 μ.μ., Tim Hollebeek
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f63348767-250e35ef-0492-45d1-86f2-d2dd8e88851f-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"Segoe Script";
panose-1:3 11 5 4 2 0 0 0 0 3;}@font-face
{font-family:"DengXian Light";}@font-face
{font-family:"\@DengXian Light";}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Aptos",sans-serif;
font-weight:bold;}h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Aptos",sans-serif;
font-weight:bold;}h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
font-weight:bold;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
mso-ligatures:none;}span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
mso-ligatures:none;}span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"DengXian Light";
color:#2F5496;
mso-ligatures:none;
font-style:italic;}span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Whether the
comparison should be case sensitive or not is not a question
of how “strict” the linter should be, but what the
requirements are. Linters MUST NOT make their own
determinations as to what the requirements are, and SHOULD
highlight cases like this where ambiguity may be present.
For example, it would be sensible to WARN that a value
deviates in case from the correct value, and that the
requirements are unclear whether that’s allowed (assuming
SC-74 had passed in its current form).</span></p>
</div>
</blockquote>
<br>
I agree with this statement because we are constantly trying to make
the requirements very clear that their adherence can actually be
coded in linters, even for a text document that is supposed to be
read by humans.<br>
<br>
<blockquote type="cite"
cite="mid:0100018f63348767-250e35ef-0492-45d1-86f2-d2dd8e88851f-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">However, I
would question whether it’s actually even unclear at all.
It’s impossible to interpret the highlighted language into
a, b, or c, because the language is completely silent on not
just capitalization, but the titles themselves. I interpret
the highlighted language as saying you have to include at
least every section and subsection, but it doesn’t matter
what titles you give those sections or subsections (since
there’s no relevant requirements). </span></p>
</div>
</blockquote>
<br>
Based on the current BRs and EV Guidelines, CP/CPS documents need to
be structured in accordance with RFC 3647. That must have meant
something for CAs and auditors, so I don't agree that there are no
relevant requirements. Some requirements don't need to be fully
prescriptive to make sense, and a Qualified Auditor would be in a
position to check whether a CP/CPS follows the outline (even with
case insensitive or slightly different/clearer wording of the
section title), or whether it is structured according to the old EV
Guidelines which did not follow the outline at all.<br>
<br>
<blockquote type="cite"
cite="mid:0100018f63348767-250e35ef-0492-45d1-86f2-d2dd8e88851f-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"> That’s what
the highlighted text says, and questions of whether it has
to be capitalized the same way miss the fact that it doesn’t
even say the same titles need to be used.</span></p>
</div>
</blockquote>
<br>
Please recall that this came from the <a
href="https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#33-cps-and-cpses">MRSP</a>
which says "include at least every section and subsection defined in
RFC 3647", which is actually a bit worse than what the ballot said,
so I think it should also be fixed there :-)<br>
<br>
<blockquote type="cite"
cite="mid:0100018f63348767-250e35ef-0492-45d1-86f2-d2dd8e88851f-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">There are
also some hilarious errors in 3647 if you look closely. I
think the best path forward would be something along the
lines of:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo10"><span
style="font-size:11.0pt">MUST include at least every
section and subsection defined in Appendix ZZ, and MUST
use the section and subsection titles listed there<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo10"><span
style="font-size:11.0pt">The titles SHOULD be formatted,
worded, capitalized and spelled the same way, and<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo10"><span
style="font-size:11.0pt">Errors in formatting or titling
sections of a CPS are not grounds for revocation of
affected certificates.<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">And then
explicitly list the outline we want in Appendix ZZ. The
outline should be very close to what 3647 says, to avoid
unnecessary churn or deviation from IETF standards, but it
would give us a chance to fix the obvious errors, and
perhaps fix some historical baggage.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The
resulting outline could be submitted back to IETF for
publication as an update to 3647, which is starting to show
its age.</span></p>
</div>
</blockquote>
<br>
100% onboard with this. It's not a super-urgent matter but I'm
confident we'll get the language right and contribute back to IETF.<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:0100018f63348767-250e35ef-0492-45d1-86f2-d2dd8e88851f-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div
style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a> <b>On
Behalf Of </b>Roman Fischer via Servercert-wg<br>
<b>Sent:</b> Friday, May 10, 2024 4:20 AM<br>
<b>To:</b> CA/B Forum Server Certificate WG Public
Discussion List <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Ballot SC-74 -
Clarify CP/CPS structure according to RFC 3647<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hi
Wendy,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">I
would definitely go for c) because the documents are
overall not standardized enough to do any kind of
automatic parsing where a) or b) would maybe help.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Rgds<br>
Roman<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Servercert-wg <<a
href="mailto:servercert-wg-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Wendy Brown - QT3LB-C via
Servercert-wg<br>
<b>Sent:</b> Donnerstag, 9. Mai 2024 16:58<br>
<b>To:</b> Aaron Gable <<a
href="mailto:aaron@letsencrypt.org"
moz-do-not-send="true" class="moz-txt-link-freetext">aaron@letsencrypt.org</a>><br>
<b>Cc:</b> CA/B Forum Server Certificate WG Public
Discussion List <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re: [Servercert-wg] Ballot SC-74 -
Clarify CP/CPS structure according to RFC 3647<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="DE">OK - then I have a
question for all those voting on SC74 (as an Associate
member rep, I do not have a vote)<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="DE">How do you interpret
the proposed new language:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:Consolas;color:#1F2328;background:#DAFBE1"
lang="DE">include at least every section and
subsection defined in section 6 of RFC 3647</span><span
lang="DE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:Consolas;color:#1F2328" lang="DE">Does
this mean:</span><span lang="DE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:Consolas;color:#1F2328" lang="DE">a)
that the section and subsection headers have to
exactly match the text in RFC 3647 including its use
of capitalization, or </span><span lang="DE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:Consolas;color:#1F2328" lang="DE">b)
just that the words must be the same or </span><span
lang="DE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:Consolas;color:#1F2328" lang="DE">c)
you just have to have the same numbering and the title
can be slightly different as long as it covers the
intended content?</span><span lang="DE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:Consolas;color:#1F2328" lang="DE">Sorry
to not have asked this during the discussion period,
until I saw the output of the linter Aaron prepared,
it didn't occur to me that anyone would have
interpreted it as the capitalization had to match.</span><span
lang="DE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:Consolas;color:#1F2328" lang="DE">thanks,<br
clear="all">
</span><span lang="DE"><o:p></o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Segoe Script""
lang="DE">Wendy</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">Wendy Brown<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">Supporting GSA<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">FPKIMA Technical Liaison<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">Protiviti Government Services<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="DE">703-965-2990 (cell)</span><span
lang="DE"><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="DE">On Thu, May 9, 2024
at 10:33</span><span
style="font-family:"Arial",sans-serif"
lang="DE"> </span><span lang="DE">AM Aaron Gable <<a
href="mailto:aaron@letsencrypt.org"
moz-do-not-send="true" class="moz-txt-link-freetext">aaron@letsencrypt.org</a>>
wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span lang="DE">I think that is a
question to be taken up with the authors of SC-74,
and with the root programs. In the interest of
caution, I think this linting tool should err on
the side of strictness. It is open source,
however, so you are of course free to modify it
for your own preferences.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="DE">Aaron<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="DE"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="DE">On Thu, May
9, 2024, 04:57 Wendy Brown - QT3LB-C <<a
href="mailto:wendy.brown@gsa.gov"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">wendy.brown@gsa.gov</a>>
wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="DE">Aaron - <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="DE">Can I
suggest that maybe the comparison should
be done in a case blind fashion?<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="DE">For
example, requiring the headers for the
subsections of 1.3 to have the second
word lower case when it is common
practice to refer to Certification
Authorities as CAs and Registration
Authorities as RAs, etc. just makes the
document inconsistent. I understand the
goal is to try to make comparisons
easier, but requiring all Public Trusted
CAs have these style inconsistencies in
their own documentation seems like a
step too far.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="DE">thanks,<br
clear="all">
<o:p></o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Segoe Script"" lang="DE">Wendy</span><span
lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">Wendy Brown<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">Supporting GSA<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">FPKIMA Technical Liaison<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
lang="DE">Protiviti Government
Services<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="DE">703-965-2990 (cell)</span><span
lang="DE"><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="DE">On Wed,
May 8, 2024 at 6:06</span><span
style="font-family:"Arial",sans-serif" lang="DE"> </span><span
lang="DE">PM Aaron Gable via Servercert-wg
<<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="DE">Of
course! Done: <a
href="https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/issues/513___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OjhhYzY6ZmJmZTNhY2NmMGM2YmMyZjFhMzhmMjcwY2ExNDFkZTc3NGU5M2NkZDI4MzAyYjQwOWViMzNhMmJmZGRkMzAyMjpoOkY"
target="_blank"
title="Protected by Avanan: https://github.com/cabforum/servercert/issues/513"
moz-do-not-send="true">https://github.com/cabforum/servercert/issues/513</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="DE">On
Wed, May 8, 2024 at 8:37</span><span
style="font-family:"Arial",sans-serif" lang="DE"> </span><span
lang="DE">AM Dimitris Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
lang="DE">Thanks Aaron,<br>
<br>
Would it be ok for you to create a <a
href="https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/issues___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OmUwNjI6MzFkMjYyMTQ3NzdmNTM5NzExNDRlODRhYmQzZTcyM2RkMWU2MDk2YzExNzY3NDczZjRkM2FiNWYzYWIyZTYxMDpoOkY"
target="_blank"
title="Protected by Avanan: https://github.com/cabforum/servercert/issues"
moz-do-not-send="true">GitHub
issue</a> to identify the specific
sections that deviate in content? We
might tackle that in a cleanup
ballot. I don't think the
capitalization is so much of a
concern but if others think it is,
please speak up :) <br>
<br>
<br>
Dimitris.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="DE">On
8/5/2024 1:19 π.μ., Aaron Gable
wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span
lang="DE">Two notes on this
ballot, findings from our
process for handling upcoming
requirements:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE">1) Let's Encrypt has
<a
href="https://url.avanan.click/v2/___https:/github.com/letsencrypt/cp-cps/tree/d5b258a/tools/lint___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OmNjYjI6MmViY2I4M2Y5MmJlNzU4MWM5YWJhMWRhYjk1YmFiNzc0NTdkOWI1OTA5ZWJiNTkzZGNmMGFjZjk2ZjY3NjhhYTpoOkY"
target="_blank"
title="Protected by Avanan: https://github.com/letsencrypt/cp-cps/tree/d5b258a/tools/lint"
moz-do-not-send="true">created
and open-sourced a tool</a>
for linting a CPS to confirm
compliance with RFC 3647
Section 6 and Ballot SC-074.
If you maintain your CPS
document in markdown, it
should be very simple to use
or adapt to your particular
situation.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE">2) The Baseline
Requirements themselves do not
quite comply with RFC 3647
Section 6, with several
section titles that deviate
from that outline in either
capitalization or actual
content.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE">We hope this
information is helpful to
others,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE">Aaron<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="DE"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
lang="DE">On Thu, Apr 25,
2024 at 9:27</span><span
style="font-family:"Arial",sans-serif" lang="DE"> </span><span
lang="DE">AM Dimitris
Zacharopoulos (HARICA) via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
lang="DE"><o:p> </o:p></span></p>
<h1><span lang="DE">SC-74 -
Clarify CP/CPS structure
according to RFC 3647<o:p></o:p></span></h1>
<h2
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-summary"><span
lang="DE">Summary<o:p></o:p></span></h2>
<p
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-the-tls-baseline-req"><span
lang="DE">The TLS Baseline
Requirements require in
section 2.2 that:<o:p></o:p></span></p>
<p
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-%22the-certificate-pol"><em><span
style="font-family:"Aptos",sans-serif" lang="DE">"The
Certificate Policy
and/or Certification
Practice Statement MUST
be structured in
accordance with RFC 3647
and MUST include all
material required by RFC
3647."</span></em><span
lang="DE"><o:p></o:p></span></p>
<p
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-the-intent-of-this-l"><span
lang="DE">The intent of
this language was to
ensure that all CAs' CP
and/or CPS documents
contain a similar
structure, making it
easier to review and
compare against the BRs.
However, there was some
ambiguity as to the actual
structure that CAs should
follow. After several
discussions in the <a
href="https://url.avanan.click/v2/___https:/lists.cabforum.org/pipermail/servercert-wg/2023-November/004070.html___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OjJmNjc6ZWM5ZWFhNDJkMmU0MGE0OGYxOWU1OWZkM2NkZmNiMTY3YmFjOWJlZDhiYTZiYzE5ZjBlZWM3MzI5YjYzNTM3NTpoOkY"
target="_blank"
title="Protected by Avanan: https://lists.cabforum.org/pipermail/servercert-wg/2023-November/004070.html"
moz-do-not-send="true">SCWG
Public Mailing List</a>
and F2F meetings, it was
agreed that more clarity
should be added to the
existing requirement,
pointing to the outline
described in section 6 of
RFC 3647.<o:p></o:p></span></p>
<p class="MsoNormal"><span
lang="DE">The following
motion has been proposed
by Dimitris Zacharopoulos
(HARICA) and endorsed by
Aaron Poulsen (Amazon) and
Tim Hollebeek (Digicert).
<o:p></o:p></span></p>
<p><span lang="DE">You can
view the github pull
request representing this
ballot <a
href="https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/pull/503___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OjNhZmM6MGQ5ZWY1YjVmZDBhMmU2MGRmODhlNjZlZDhlOWEzNzkwOGU2NjA3NTllYzg5MjJlYWViMTJmODQ5NzBiMThkNzpoOkY"
target="_blank"
title="Protected by Avanan: https://github.com/cabforum/servercert/pull/503"
moz-do-not-send="true">here</a>. <o:p></o:p></span></p>
<h2
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-motion-begins"><span
lang="DE">Motion Begins<o:p></o:p></span></h2>
<p
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-modify-the-%22baseline"><span
lang="DE">MODIFY the
"Baseline Requirements for
the Issuance and
Management of
Publicly-Trusted TLS
Server Certificates" based
on Version 2.0.4 as
specified in the following
redline:<o:p></o:p></span></p>
<ul
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-https%3A%2F%2Fgithub.com%2Fc"
type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3"><span
lang="DE"><a
href="https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2...f6a90e2a652fbb7a2d62a976b70f4af3adce8dae___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OmFjNTU6ZGE2MDMwNTE5MDk4OGQyZGQzOTI5ODkxMThhMDNhNzM5NDFhY2ZjYjUwZDE1YWUzNTYzZTE4MjcxZTY4ZDY3ODpoOkY"
target="_blank"
title="Protected by Avanan: https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2...f6a90e2a652fbb7a2d62a976b70f4af3adce8dae"
moz-do-not-send="true">https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2...f6a90e2a652fbb7a2d62a976b70f4af3adce8dae</a>
<o:p></o:p></span></li>
</ul>
<h2
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-motion-ends"><span
lang="DE">Motion Ends<o:p></o:p></span></h2>
<p
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-this-ballot-proposes"><span
lang="DE">This ballot
proposes a Final
Maintenance Guideline. The
procedure for approval of
this ballot is as follows:<o:p></o:p></span></p>
<h4
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-discussion-%2811%2B-days"><span
lang="DE">Discussion (at
least 7 days)<o:p></o:p></span></h4>
<ul
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-start-time%3A-2024-01-"
type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo6"><span
lang="DE">Start time:
2024-04-25 16:30:00 UTC<o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo6"><span
lang="DE">End time: on
or after 2024-05-02
16:30:00 UTC<o:p></o:p></span></li>
</ul>
<h4
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-vote-for-approval-%287"><span
lang="DE">Vote for
approval (7 days)<o:p></o:p></span></h4>
<ul
id="m_-3117830645094531052m_-6327247601565009468m_-6450730596943934832m_-335726473920697852m_-8449533255907748392bkmrk-start-time%3A-tbd-end-"
type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo9"><span
lang="DE">Start time:
TBD<o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo9"><span
lang="DE">End time: TBD<o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span
lang="DE"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span
lang="DE">_______________________________________________<br>
Servercert-wg mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/servercert-wg___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OjA2MTI6NjAyZjc1OTQ4MmVlOTNkODMwYTNlMjQzYjgzYmYzMjY0OTdiMGNmNjFhZWUwNDA4OWViZDE0MWY0NjU1NTA2ZTpoOkY"
target="_blank"
title="Protected by Avanan: https://lists.cabforum.org/mailman/listinfo/servercert-wg"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></span></p>
</blockquote>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="DE"><o:p> </o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="DE">_______________________________________________<br>
Servercert-wg mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://url.avanan.click/v2/___https:/lists.cabforum.org/mailman/listinfo/servercert-wg___.YXAzOmRpZ2ljZXJ0OmE6bzoyZGZmNDkwNjM2NzZkZTVkYTFkY2ZmM2FjZjk2Yzc0Yzo2OjA1NjY6NjM4MTE2ZWYwN2IwMDY4MzJhZmFiOTBjMmNjNTEzMjY5NDgzYjQ2ZjRmOTE1OTk3OGRmNWEyNWRkMDEyOTU4ZDpoOkY"
target="_blank"
title="Protected by Avanan: https://lists.cabforum.org/mailman/listinfo/servercert-wg"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></span></p>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>