<div dir="ltr">Mozilla will endorse.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 6, 2024 at 7:21 AM Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-6774548540541533375">

<div dir="ltr">

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

Following yesterday's discussion in the validation subcommittee teleconference, we are now seeking two members to endorse the ballot. Feedback is also welcome, either here or on the pull request.<br>

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

### Purpose of the Ballot</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

This ballot duplicates the content of section 7.1.2.10.5 (CA Certificate Certificate Policies) into section 7.1.2.2 (Cross-Certified Subordinate CA Certificate Profile) as section 7.1.2.2.6 (Cross-Certified Subordinate CA Certificate Certificate Policies),

 modifying the requirement from "MUST contain exactly one Reserved Certificate Policy Identifier" to "MUST include at least one Reserved Certificate Policy Identifier" to allow the inclusion of multiple Reserved Certificate Policy Identifiers in a Cross-Certified

 Subordinate CA Certificate.</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

The following motion has been proposed by Paul van Brouwershaven (Entrust) and endorsed by XXX (XXX) and XXX (XXX).</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

GitHub pull request for this ballot: <a href="https://github.com/cabforum/servercert/pull/544" id="m_-6774548540541533375OWA78c8b185-f261-e025-fb21-a7eff0192685" target="_blank">

https://github.com/cabforum/servercert/pull/544</a> </div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

### Motion begins</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.6 as specified in the following redline:</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<a href="https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...89f80028b40ce6a1a5c52b406d37e5534460a1a1" id="m_-6774548540541533375OWA06557f30-674d-f9af-9e80-9b5705d6bfb5" target="_blank">https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...89f80028b40ce6a1a5c52b406d37e5534460a1a1</a></div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

### Motion ends</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

Discussion (7+ days)</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

- Start time: TBC</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

- End time: TBC</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

Vote for approval (7 days)</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

 </div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

- Start time: TBC</div>

<div style="margin-left:40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

- End time: TBC</div>

<div id="m_-6774548540541533375appendonsend"></div>

<hr style="display:inline-block;width:98%">

<div id="m_-6774548540541533375divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Validation <<a href="mailto:validation-bounces@cabforum.org" target="_blank">validation-bounces@cabforum.org</a>> on behalf of Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>

<b>Sent:</b> Thursday, September 5, 2024 16:40<br>

<b>To:</b> CABforum3 <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>

<b>Subject:</b> [EXTERNAL] [cabf_validation] Section 7.1.2.10.5 CA Certificate Certificate Policies for cross signing certificates</font>

<div> </div>

</div>

<div>

<div style="display:none;font-size:1px;color:rgb(255,255,255);line-height:1px;max-height:0px;opacity:0;overflow:hidden">

We would like to clarify the following requirement in section 7. 1. 2. 10. 5 CA Certificate Certificate Policies, specifically for cross signing certificates. RFC 5280 states that you can have one CertPolicyId within the PolicyInformation, see below: </div>

<div style="display:none;font-size:1px;color:rgb(255,255,255);line-height:1px;max-height:0px;opacity:0;overflow:hidden">

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

We would like to clarify the following requirement in section 7.1.2.10.5 CA Certificate Certificate Policies, specifically for cross signing certificates.</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

RFC 5280 states that you can have one CertPolicyId within the PolicyInformation, see below:</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px 0px 0px 40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<i>certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation</i></div>

<div style="margin-left:40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<i><br>

</i></div>

<div style="margin-left:40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<i>PolicyInformation ::= SEQUENCE {</i></div>

<div style="margin-left:40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<i>        policyIdentifier   </i><b><i>CertPolicyId</i></b><i>,</i></div>

<div style="margin-left:40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<i>        policyQualifiers   SEQUENCE SIZE (1..MAX) OF</i></div>

<div style="margin-left:40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<i>                                PolicyQualifierInfo OPTIONAL }</i></div>

<div style="margin-left:40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<i><br>

</i></div>

<div style="margin-left:40px;font-family:"Courier New",monospace;font-size:9pt;color:rgb(0,0,0)">

<b><i>CertPolicyId </i></b><i>::= OBJECT IDENTIFIER</i></div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

Section 7.1.2.10.5 of the TLS BR states for the policyIdentifier:</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px 0px 0px 40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<i>The CA MUST include </i><b><i><u>at least one</u></i></b><i> Reserved Certificate Policy Identifier (see Section 7.1.6.1) associated with the given Subscriber Certificate type (see Section 7.1.2.7.1) directly or transitively issued by this Certificate.</i></div>

<div style="text-align:left;text-indent:0px;margin:0px 0px 0px 40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

This 'at least one' seems to contradict RFC 5280 which indicates that we can only have one policyIdentifier in the PolicyInformation sequence.</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

Then at the bottom of this section the TLS BRs states that entire certificate policies extension MUST contain exactly one Reserved Certificate Policy Identifier:</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px 0px 0px 40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<i>Regardless of the order of PolicyInformation values, the Certificate Policies extension

</i><b><i><u>MUST contain exactly one</u></i></b><i> Reserved Certificate Policy Identifier.</i></div>

<div style="text-align:left;text-indent:0px;margin:0px 0px 0px 40px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<i><br>

</i></div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

While we can repeat the PolicyInformation within the certificatePolicies extension does this mean that CAs are prohibited from issuing a cross signing certificate (from a multi-purpose root to another multi-purpose root) with policy contrains that include DV,

 OV and EV reserved certificate policy identifiers. If our reading of this section is correct, this would mean that CAs need to issue three seperate cross signing certificates in that case.</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

Paul</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<div style="text-align:left;text-indent:0px;margin:0px;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">

<br>

</div>

<i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.

<u>Please notify Entrust immediately and delete the message from your system.</u></i>

</div>

</div>

_______________________________________________<br>

Validation mailing list<br>

<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>

<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>

</div></blockquote></div>