<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Apologies for the spam, for some reason I didn't see Rob's post in
the archives page on my computer but it shows ok now.<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 5/7/2024 5:55 π.μ., Dimitris
Zacharopoulos (HARICA) via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100019080d1e87f-16968626-9ef0-4e54-962c-0808ce35b90f-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Forwarding to the mailing list because it did not appear in the <a
href="https://lists.cabforum.org/pipermail/servercert-wg/2024-July/thread.html"
moz-do-not-send="true">archive</a>. <br>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>Re: [Servercert-wg] Discussion Period Begins - Ballot
SC-067 V3: "Require domain validation and CAA checks to
be performed from multiple Network Perspectives"</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date:
</th>
<td>Thu, 4 Jul 2024 09:27:16 +0000</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From:
</th>
<td>Rob Stradling via Servercert-wg <a
class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Reply-To:
</th>
<td>Rob Stradling <a class="moz-txt-link-rfc2396E"
href="mailto:rob@sectigo.com" moz-do-not-send="true"><rob@sectigo.com></a>,
CA/B Forum Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td>So, Nicol <a class="moz-txt-link-rfc2396E"
href="mailto:nicol.so@commscope.com"
moz-do-not-send="true"><nicol.so@commscope.com></a>,
CA/B Forum Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a>,
Chris Clements <a class="moz-txt-link-rfc2396E"
href="mailto:cclements@google.com"
moz-do-not-send="true"><cclements@google.com></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
IANAL, but...</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
That <a
href="https://patents.google.com/patent/US11700263B2/en"
title="https://patents.google.com/patent/US11700263B2/en"
moz-do-not-send="true"> patent</a> was filed on 2019-10-11.<br>
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
The <a
href="https://www.princeton.edu/~pmittal/publications/bgp-tls-usenix18.pdf"
id="OWAddf1aaf9-a68d-5b34-583a-787face71057"
class="OWAAutoLink"
title="https://www.princeton.edu/~pmittal/publications/bgp-tls-usenix18.pdf"
moz-do-not-send="true"> Princeton paper</a> that first
highlighted the need for MPIC in the WebPKI dates back to <u>2018</u>,
and section 5.1.3 of that paper describes <i>"Let’s Encrypt’s
preliminary deployment of multiple vantage points in their
staging environment"</i>.</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<hr style="display: inline-block; width: 98%;">
<div id="divRplyFwdMsg" dir="ltr"><span
style="font-family: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);"><b>From:</b> Servercert-wg
<a class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg-bounces@cabforum.org"
moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
on behalf of Chris Clements via Servercert-wg <a
class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Sent:</b> 01 July 2024 21:42<br>
<b>To:</b> So, Nicol <a class="moz-txt-link-rfc2396E"
href="mailto:nicol.so@commscope.com"
moz-do-not-send="true"><nicol.so@commscope.com></a>;
CA/B Forum Server Certificate WG Public Discussion List <a
class="moz-txt-link-rfc2396E"
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Discussion Period Begins
- Ballot SC-067 V3: "Require domain validation and CAA
checks to be performed from multiple Network Perspectives"</span>
<div> </div>
</div>
<div
style="text-align: left; line-height: 12pt; background-color: rgb(250, 250, 3); padding: 2pt; border-width: 1pt; border-style: solid; border-color: rgb(0, 0, 0); font-family: Calibri; font-size: 10pt;">
<span style="color: rgb(0, 0, 0);">CAUTION:</span><span
style="color: black;"> This email originated from outside of
the organization. Do not click links or open attachments
unless you recognize the sender and know the content is
safe.</span></div>
<br>
<div style="direction: ltr;">All,<br>
<br>
We have considered the communication from CommScope dated May
30, 2024.<br>
<br>
We would like to proceed with a vote on Ballot SC-067 V3 on
July 15, 2024. If any SCWG participant has questions regarding
the communication or the referenced patent, we encourage them
to seek legal counsel.<br>
<br>
Thank you<br>
-Chris</div>
<br>
<div style="direction: ltr;">On Thu, May 30, 2024 at 4:50 PM So,
Nicol via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
id="OWAfc317a79-bd9e-4d12-4be4-2b6962613068"
class="OWAAutoLink moz-txt-link-freetext"
moz-do-not-send="true">servercert-wg@cabforum.org</a>>
wrote:</div>
<blockquote
style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left: 1px solid rgb(204, 204, 204);">
<p>I’ve come to be aware of a granted US patent that <i>seems</i> relevant
to the subject matter of Ballot SC-067 V3. The patent is US
11700263 B2 [1]. I don’t know whether the patent has been
considered in previous discussions in the CA/B Forum or the
SCWG, but I thought I should bring it to the attention of
SCWG members, in case it has not.</p>
<p> </p>
<p>If the patent has not been considered previously, I propose
that we extend the discussion period of this ballot so that
members have an opportunity to consult with their legal
counsel for advice.</p>
<p> </p>
<p>CommScope expresses no opinion on the patent, including but
not limited to its validity and whether it covers the
practices introduced in Ballot SC-067 V3.</p>
<p> </p>
<p>Best regards,</p>
<p>Nicol So</p>
<p>CommScope</p>
<p> </p>
<p>[1] <a
href="https://patents.google.com/patent/US11700263B2/en"
id="OWA35d8b327-a5a6-6642-3937-a71d914889b0"
class="OWAAutoLink moz-txt-link-freetext"
shash="KI5er9caNbi+meja2LFilurQg8geBW/oKXzaoI+wLNwREJD4U/GOhUu7pIL69BFS5PeqfcfykC73B1vMy+nuGOiBJ7n4iOFwgQILRYnJzrufoUxY9O/SVvln1Z8Qpxgp0gc1k5v9dzEmmL5mIjCZNRPaAz9RZqhR/nDYQR49ykQ="
originalsrc="https://patents.google.com/patent/US11700263B2/en"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">
https://patents.google.com/patent/US11700263B2/en</a></p>
<p> </p>
<div
style="padding: 3pt 0in 0in; border-top: 1pt solid rgb(225, 225, 225);">
<p><b>From:</b> Servercert-wg <<a
href="mailto:servercert-wg-bounces@cabforum.org"
id="OWA2bfafae1-0c8e-27cf-61d6-164cbe4a0a82"
class="OWAAutoLink moz-txt-link-freetext"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Chris Clements via Servercert-wg<br>
<b>Sent:</b> Monday, May 20, 2024 10:30 AM<br>
<b>To:</b> CA/B Forum Server Certificate WG Public
Discussion List <<a
href="mailto:servercert-wg@cabforum.org"
id="OWAccab327c-9805-4875-64eb-f77517fb8aa3"
class="OWAAutoLink moz-txt-link-freetext"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> [Servercert-wg] Discussion Period Begins -
Ballot SC-067 V3: "Require domain validation and CAA
checks to be performed from multiple Network Perspectives"</p>
</div>
<p> </p>
<p> </p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"><b>Purpose
of Ballot SC-067 V3</b>:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">This
Ballot proposes updates to the <i>Baseline Requirements
for the Issuance and Management of Publicly-Trusted TLS
Server Certificates</i> (i.e., TLS BRs) related to
“Multi-Perspective Issuance Corroboration” (“MPIC”).</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"><b>Background</b>:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- MPIC
refers to performing domain validation and CAA checks from
multiple Network Perspectives before certificate issuance,
as described within the Ballot for the applicable
validation methods in TLS BR Sections 3.2.2.4 and 3.2.2.5.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- Not
all methods described in TLS BR Sections 3.2.2.4 and
3.2.2.5 will require using MPIC.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- This
work was most recently motivated by research presented at
Face-to-Face 58 [1] by Princeton University, but has been
discussed for years prior as well.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- The
goal of this proposal is to make it more difficult for
adversaries to successfully launch equally-specific prefix
attacks against the domain validation processes described
in the TLS BRs.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Additional background information can be found in an
update shared at Face-to-Face 60 [2].</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"><b>Benefits
of Adoption</b>:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- Recent
publicly-documented attacks have used BGP hijacks to fool
domain control validation and obtain malicious
certificates, which led to the impersonation of HTTPS
websites [3][</span><span
style="font-family: Arial, sans-serif; color: black;">4</span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">].</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Routing security defenses (e.g., RPKI) can mitigate the
risk of global BGP attacks, but localized,
equally-specific BGP attacks still pose a significant
threat to the Web PKI [5][6].</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Corroborating domain control validation checks from
multiple network perspectives (i.e., MPIC) spread across
the Internet substantially reduces the threat posed by
equally-specific BGP attacks, ensuring the integrity of
domain validation and issuance decisions [5][7][8].</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Existing deployments of MPIC at the scale of millions of
certificates a day demonstrate the feasibility of this
technique at Internet scale [7][9].</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"><b>Intellectual
Property (IP) Disclosure</b>:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- While
not a Server Certificate Working Group Member, researchers
from Princeton University presented at Face-to-Face 58,
provided academic expertise, and highlighted
publicly-available peer-reviewed research to support
Members in drafting this ballot.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- The
Princeton University researchers indicate that they have
not filed for any patents relating to their MPIC work and
do not plan to do so in the future.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Princeton University has indicated that it is unable to
agree to the CA/Browser Forum IPR agreement because it
could encumber inventions invented by researchers not
involved in the development of MPIC or with the CA/B
Forum.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Princeton University has instead provided the attached IPR
statement. Pursuant to the IPR statement, Princeton
University has granted a worldwide royalty free license to
the intellectual property in MPIC developed by the
researchers and has made representations regarding its
lack of knowledge of any other Princeton intellectual
property needed to implement MPIC.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- The
attached IPR statement has not changed since disclosed in
Discussion Round 1.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">-
For clarity, Princeton University’s IPR statement is NOT
intended to replace the Forum’s IPR agreement or allow
Princeton to participate in the Forum in any capacity.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">-
Members seeking legal advice regarding this ballot should
consult their own counsel.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"><b>Proposal
Revision History</b>:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Pre-Ballot Release #1 (work team artifacts and broader
Validation Subcommittee collaboration) [10]</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">-
Pre-Ballot Release #2 [11]</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"><b>Previous
versions of this Ballot</b>:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);">-</span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> Ballot
Release #1 [12] (comparing Version 2 to Version 1) [13].
Note, some of the changes represented in the comparison
are updates made by other ballots that have since passed
(e.g., SC-069).</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">- Ballot
Release #2 [14] (comparing Version 3 to Version 2) [15].
Note, some of the changes represented in the comparison
are updates made by other ballots that have since passed
(e.g., SC-072).</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"><b>References</b>:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[1] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf"
id="OWA96bcea31-5655-b960-5709-7a34f011e8dd"
class="OWAAutoLink moz-txt-link-freetext"
shash="Xk0MnGqFZL0oaqB7MOLpPDuJRiWt65ODfjcIRcXZ/cjOsiVxkHqqceh6PChL51KghwkbkXFAzzzftEmSy5YvmaCLWGfJq1AmxcWkc0OkyjiQpGxKbrTwv61+JxdiegIXyTu0X1xt3W6VxjXOLc3d9dOPKZPjnpWAR7AypnhwxaE="
originalsrc="https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf</a></span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[2] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link"
id="OWAfdc5a709-7bb0-69fe-5b4a-c37b3ef32543"
class="OWAAutoLink moz-txt-link-freetext"
shash="Xsm71vt1DPtEEOGgr+Oiazp7s+TS4SfPdAsKLNhFbctfNmh4F5QrKtRW+HeJ3+xwam8LBXjO3zVbj36uhhc/HSovjg3Zy2wNQ9rbi+dXZntcgf3Lq6Ke5DgnxJHVVryZCqI4ebwfQipAEh78VLpYfbUIQ5h40xqKc52RFUoo7bs="
originalsrc="https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[3] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600"
id="OWA931b6e8a-b2b3-76f5-9da0-afd6ffd241c6"
class="OWAAutoLink moz-txt-link-freetext"
shash="l5qh8wqB+9GpRkpOe4bXKmg0ZX1oZcPx+gQZJdECyaLrXM/XF1h5Fp4dC1DbPM8C+AKXJGweeY66IHSB0/pNWdd75dHW27ggMpZuVVEOUNKY3T15D4XO7a+jfv00WpdFBE5m9D8z+7y70B73J0FVM8Pt1wD4L8shfxHyyL20AH4="
originalsrc="https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[4] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://www.coinbase.com/blog/celer-bridge-incident-analysis"
id="OWA4afb5b40-ed4c-3fa6-8627-c42abd5d36cd"
class="OWAAutoLink moz-txt-link-freetext"
shash="IHbGADwpSk5ZHvDa8O0fm3VIsgiM1c3wJjL297M7w3O2Xo7r4mN8U+fHxytg3NDF7e5J3x/f8uMyjWnNqSNhjXYvmALgiQKMLdKHDnpxJM5OzCSHUWVrzLg6NxtMNA6tlGmhr/soYB41dSrFW+C70ak6xMfh0DH20u6jWq/IX1o="
originalsrc="https://www.coinbase.com/blog/celer-bridge-incident-analysis"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://www.coinbase.com/blog/celer-bridge-incident-analysis</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[5] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski"
id="OWA39be42d6-034d-ab0f-5371-2f59233ebc96"
class="OWAAutoLink moz-txt-link-freetext"
shash="DHlLXRU/1q815t7wHqVnAgtbumwIdzkOU7opuWw7rGc60DOOiKUdn4SqCJqrOPoy0FNIgXxHOfS7+sn5zxTIQ8GYpfED8lK/752967z1URSIaM67LOCUhVQHq1Z8Gv9duA3rYUJVUmvBefhqXjvluKxlOy0cXec6us7+NLHOgpw="
originalsrc="https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[6] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf"
id="OWA98ec0a18-9a83-04a0-a8a5-0d366458dd0d"
class="OWAAutoLink moz-txt-link-freetext"
shash="i4lO2Lto4NlZZAuB4In3iUWnC+kq/ABvN17i++MLdkwajnIBh2HyvmwCRRCsp72k9CmvZKdKh7068GDcZL8yKX+g6y/kJfkjgRF+KnqRgB7DXpwHDf01JbRMFQ5VFEP79PdVSWU9sqWDb8BVWmaiVKerVartPaP5T5gegZX0+v4="
originalsrc="https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[7] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee"
id="OWAd5c3ba1e-e2dc-4f5c-70f9-8a47dd3c3df6"
class="OWAAutoLink moz-txt-link-freetext"
shash="FjDmTZImKUJfKeYuO6d1LEhY7ZWuhPzvsYRHgGsJ6fsQWqIhRsbGP3GON/4uWCzF64wphnB9R2yPu+oJ+6y6TWfcLCxkmdBebzWi2/60CgOfJTHt96EW4RV/FpXAU0t8k5h26qfc+AStTMuxtl51XIXzQnJgdRA5TZR3B71zYjg="
originalsrc="https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[8] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee"
id="OWAbd61ffde-6fc9-5545-ffbf-603ca10c6e8b"
class="OWAAutoLink moz-txt-link-freetext"
shash="T1yLWLcViWfIeqywoA5NMVlc4LH5lRxLaDB+CzZgyUGYsLM6MJnK3JPe4inpewWXorV2bltQMgLSOonevGCI8rA9NpfHWfbnEpPNfAl+Ag4uEbNR8KAFuLX6mQU5iCi7kZ2Pge8s/CsjrooxtmCNiI4Mz+A6EbMF2OmnOAw22I0="
originalsrc="https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[9] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html"
id="OWAdb5167a3-cddb-94d6-8aee-c154ae874b3f"
class="OWAAutoLink moz-txt-link-freetext"
shash="e0bVpsf/oIZhI2ysc2nLbURY0725thLnqUfD4FiRiHvIIv2/5fYdYqjl0Pdbf/Kf+RzvMr236tqWxy/1N1aZNCkJ+2BBehC7V4gRUNFVy1XxLtysm9I5u+WtvFaTJuZepZZKSlqCnP3D8vcQiyZqS0giOUjy7saNODc6QqF94WA="
originalsrc="https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[10] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://github.com/ryancdickson/staging/pull/6"
id="OWA0a35cbb9-310d-f642-b92b-b00da115e5e3"
class="OWAAutoLink moz-txt-link-freetext"
shash="q9/U98ABz3vxnZ31iBruB9i+XCK2NqgxhDBgXxrwN/hk4sh6rL964UYVO8Xzzg3SdRUG4CD6nKTjVSfilAZKTTksQDPgZTMCOByBSuE6o+sCWrNkaIW1bmgOjIN6l4ebj96v4Z1Sbalcb1Embf7WD2GUDWCDPN4Z9XoUE+5+4Zk="
originalsrc="https://github.com/ryancdickson/staging/pull/6"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://github.com/ryancdickson/staging/pull/6</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[11] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://github.com/ryancdickson/staging/pull/8"
id="OWA75b8ad0c-ad94-6c1f-bea9-bbe604d25230"
class="OWAAutoLink moz-txt-link-freetext"
shash="gv/4W7V0fuOZvKeT8FCgul8zRqNOuZhAvvx9mKYVKi3z/N634EHMw7VvgdQsOH3mXQjDylQG1w1Z9ygYrLzDFhNPF+1pdO05FKnRPlp48Zga0+52LezFSU02i0w2BbW2RvVoBvi5n2zEjoH4bC4NhcVCAnkVTCZ3w/KlITA1k/Y="
originalsrc="https://github.com/ryancdickson/staging/pull/8"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://github.com/ryancdickson/staging/pull/8</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[12] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://github.com/cabforum/servercert/pull/487"
id="OWA177ad678-568e-4b84-da5b-ee3dbc22bf9c"
class="OWAAutoLink moz-txt-link-freetext"
shash="EO0E8B8OVotM2KaFGXJIx9vZwbPN8eq1a2Hp5fUKhjdFPydoQg3LbYAKrnukca0dgNNNpIKKSKoW684UeAfThfGaMyA76Mv7U/N7RCVQRGU3f+uvi+9eLrBL6IfasjU/Kz3JTj2hr8xZ0CEr6fhzGo2qxHIyElrdCM3kTEMMaKg="
originalsrc="https://github.com/cabforum/servercert/pull/487"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://github.com/cabforum/servercert/pull/487</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[13] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://github.com/cabforum/servercert/compare/6d10abda8980c6eb941987d3fc26e753e62858c0..5224983ef0a6f94c18808ea3469e7a5ae35746e5"
id="OWAb6fe0854-27bf-26ee-0a0d-ef7eb4c4b264"
class="OWAAutoLink moz-txt-link-freetext"
shash="QwehM4jEPeHrMZ9jbLvpTGeyprVhLd3dUjJXrAeTxt2/388H+XYnlTlCnEczcrTVqUS7qZ700sQn54Dk8VoGtOvGJeKa7Z8z6I0B+igSwCMCWMWlGKCpZ/hHeV2LV3gLecGsw3NAmx9zcbCTu+ZADrfrtFB9QVbWuwfiZlJp0BE="
originalsrc="https://github.com/cabforum/servercert/compare/6d10abda8980c6eb941987d3fc26e753e62858c0..5224983ef0a6f94c18808ea3469e7a5ae35746e5"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://github.com/cabforum/servercert/compare/6d10abda8980c6eb941987d3fc26e753e62858c0..5224983ef0a6f94c18808ea3469e7a5ae35746e5</a></span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[14] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://github.com/cabforum/servercert/pull/507"
id="OWA8d2abece-b0f4-c9d5-aedc-4fb55ca354f4"
class="OWAAutoLink moz-txt-link-freetext"
shash="EnPGdIpcv/khYPOxNizEQar/y/8147KwJtOsXszRpAF6GYVUP/6lEojjaO0ScUcdMknykF6iLQJhIWwca6v2q9drV9DEiwmwvYzKdRIXh28OAj+wjnuXKEc3lyjrwko9nE/WeG2JdpWVGOwJ1KuodZC5arZLRvOGpkjo10Yy74w="
originalsrc="https://github.com/cabforum/servercert/pull/507"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://github.com/cabforum/servercert/pull/507</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">[15] </span><span
style="font-family: Arial, sans-serif;"><a
href="https://github.com/cabforum/servercert/compare/5224983ef0a6f94c18808ea3469e7a5ae35746e5..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
id="OWA515f9603-ffdb-037a-f6a8-5f81d90522b6"
class="OWAAutoLink moz-txt-link-freetext"
shash="sOxoV1ek4yMCU6u2ZwryYgWQ8RxgM7bfA2bkjsiA7gH+y7K6Ry4sGwHKzAc9/GeCipgFpAoidIVaS9909Enec5xpMnYZ9JcLTimfNRfZwq6c3ZdVDYdm3px0Vh2BfDLw1hQMCjyc1CmUZFwML5ZCvWvPhdTKaR/qHuaWWWeRBfc="
originalsrc="https://github.com/cabforum/servercert/compare/5224983ef0a6f94c18808ea3469e7a5ae35746e5..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://github.com/cabforum/servercert/compare/5224983ef0a6f94c18808ea3469e7a5ae35746e5..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463</a></span><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(14, 16, 26);">The
following motion has been proposed by Chris Clements and
Ryan Dickson of Google (Chrome Root Program) and endorsed
by Aaron Gable (ISRG / Let’s Encrypt) and Wayne Thayer
(Fastly). </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;"><b>—
Motion Begins —</b></span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">This
ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted TLS Server
Certificates” (“Baseline Requirements”), based on Version
2.0.4.</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">MODIFY
the Baseline Requirements as specified in the following
Redline:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif;"><a
href="https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
id="OWA0c08fb7f-938d-8349-6c8d-b105c7a7f571"
class="OWAAutoLink moz-txt-link-freetext"
shash="BxEuGqMf4rRvqwSPzIBpx3HN6iupvtXd57CQFn89xFrKdauoZkBPgP1o/SYmH75Z8W2OEUuU9FrIzHk2MNnJV/wfeSm3vktptdhlazGDApIIHuDj2SQlv83uZVEVOAHkU/1KwHLZJlVcoCPNWA8f/5NpXzRiJs+V3S4EJS0tH7c="
originalsrc="https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
data-auth="Verified"
style="margin-top: 0px; margin-bottom: 0px;"
moz-do-not-send="true">https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463</a></span><span
style="font-family: Arial, sans-serif; color: black;"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;"><b>—
Motion Ends —</b></span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">This
ballot proposes a Final Maintenance Guideline. The
procedure for approval of this ballot is as follows:</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;"><b>Discussion
(at least 11 days)</b></span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">-
Start: 2024-05-20 14:30:00 UTC</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">-
End no earlier than: 2024-05-31 14:30:00 UTC</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: rgb(80, 0, 80);"> </span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;"><b>Vote
for approval (7 days)</b></span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">-
Start: TBD</span></p>
<p style="margin: 0in;"><span
style="font-family: Arial, sans-serif; color: black;">-
End: TBD</span></p>
<p> </p>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
id="OWA919e6c83-7fa6-3ba1-6a61-a085ef030974"
class="OWAAutoLink moz-txt-link-freetext"
moz-do-not-send="true">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
id="OWA94b04bcf-c1b7-7961-f97d-61a7c826cbda"
class="OWAAutoLink moz-txt-link-freetext"
shash="bOLcWSHxQFeyxs2MKn4jXz9hF8QxaFVIDbomt4w7kc0ieRKbw7NxVs3LeZYXM6YLS7LxJ4Bxb8/KoyHeEUyKiuklndUl2+NQB2RRfX55eLyPZ/yI9gcD45XuLlzRqIRh9xnVxzMZQETfSwshKnkOqiFDwyIWc6Taj2PiGpM+aoI="
originalsrc="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
data-auth="Verified" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>