[Cscwg-public] [Servercert-wg] Discussion Period Begins on Ballot SC50: Remove the requirements of 4.1.1

Mon Nov 1 18:28:43 UTC 2021

Wanted to advise that the CSBR 11.4 reference BR 4.1.1 as follows, "For Non-EV Code Signing Certificates as specified in BR Section 4.1.1 and for EV Code Signing
Certificates as specified in EV Guidelines Section 11.12.2." Since BR 4.1.1 will now read "No stipulation", there will not be a call out for Non-EV Code Signing Certificates.

If we agree that there is no issue, then we remove the reference in a future clean up ballot.

Note for EVG 11.12.2 requires the CA does issue if 1) the Applicant, the Contract Signer, the Certificate Approver are not on a denied list and 2) the Applicant’s Jurisdiction of Incorporation, Registration, or Place of Business are in any country with which the laws of the CA’s jurisdiction prohibit doing business. These requirements do not apply to Non-EV code signing certificates as the roles, jurisdiction and place of business are out of scope.

Plan to discuss at this week's meeting.

Thanks, Bruce.

-----Original Message-----
From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Thursday, October 28, 2021 12:00 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] Discussion Period Begins on Ballot SC50: Remove the requirements of 4.1.1

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
This email begins the discussion period for Ballot SC50: Remove the requirements of 4.1.1

BALLOT SC50: Remove the requirements of 4.1.1

PURPOSE OF BALLOT

When attempting to reduce the retention period required for audit logs and data archives, the NetSec Subcommittee also identified gaps in which data a CA is required to retain which make it somewhat difficult to make the desired adjustments to retention period. Specifically, a CA is currently required to retain, but not use, data as defined in 4.1.1 of the BRs.
While reviewing the intent, purpose, and real-world usage around section 4.1.1, it became apparent that there’s little value in requiring CAs to maintain a database for which there is no prescribed purpose or required action. This ballot seeks to address this gap by replacing section 4.1.1 with "No stipulation." as is appropriate based on current expectations here.

The following motion has been proposed by Clint Wilson of Apple and endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of Microsoft.

-----Motion Begins-----

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as defined in the following redline, based on Version 1.8.0:

https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7..8b2681c3f93bbc9fbe83ab9d67999629db630e94

-----Motion Ends-----

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: October 28 16:00 UTC
End Time: November 4 16:00 UTC

Vote for approval (7 days)

Start Time: TBD
End Time: TBD
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.