[cabfpub] Short-Lived Certificate Ballot

Gervase Markham gerv at mozilla.org
Thu Nov 5 02:33:15 MST 2015 

Mozilla votes "Yes".

Gerv

On 04/11/15 21:10, Billy VanCannon wrote:
> Trustwave votes “Yes”
> 
>  
> 
>  
> 
> *From:* public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Jeremy Rowley
> *Sent:* Monday, October 26, 2015 3:38 PM
> *To:* public at cabforum.org <mailto:public at cabforum.org>
> *Subject:* [cabfpub] Short-Lived Certificate Ballot
> 
>  
> 
> Here’s the official Short-Lived Cert Ballot. The review period starts
> tomorrow. With the ballot starting on Nov 3.  
> 
> *Ballot 153 – Short-Lived Certificates*
> 
> The following motion has been proposed by Jeremy Rowley of DigiCert and
> endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.
> 
> -- MOTION BEGINS --
> 
> 1) Add/revise the following definitions:
> 
> _Issuance Time: The time at which a Certificate’s digital signature is
> calculated._
> 
> _Short-Lived Certificate: A Certificate with a Validity Period less than
> 96 hours and a notBefore time no earlier than 24 hours before the
> Issuance Time and a notAfter time no later than 72 hours after the
> Issuance Time._
> 
> Validity Period: The period of time measured from _notBefore through
> notAfter, inclusive_. the date when the Certificate is issued until the
> Expiry Date.
> 
> 2) Modify Section 4.9.10 as follows:
> 
> 4.9.10. On‐line Revocation Checking Requirements
> 
> Effective 1 January 2013, the CA SHALL support an OCSP capability using
> the GET method for Certificates issued in accordance with these
> Requirements.
> 
> For the status of Subscriber Certificates _other than a Short-Lived
> Certificate containing a cRLDistributionPoints extension_: The CA SHALL
> update information provided via an Online Certificate Status Protocol at
> least every four days. OCSP responses from this service MUST have a
> maximum expiration time of ten days.
> 
> 3) Modify Section 7.1.2.3 as follows:
> 
> 7.1.2.3. Subscriber Certificate …
> 
> b. cRLDistributionPoints This extension _MUST be present for Short-Lived
> Certificates that lack an authorityInformationAccess extension and_ MAY
> be present for all other certificates. If present, it MUST NOT be marked
> critical, and it MUST contain the HTTP URL of the CA’s CRL service. See
> Section 13.2.1 for details.
> 
> c. authorityInformationAccess With the exception of stapling _and
> Short-Lived Certificates_, which is noted below, this extension MUST be
> present. It MUST NOT be marked critical, and it MUST contain the HTTP
> URL of the Issuing CA’s OCSP responder (accessMethod =
> 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing
> CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).
> 
> The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted _for
> Short-Lived Certificates containing a cRLDistributionPoints extension or
> if_ Subscriber “staples” OCSP responses for the Certificate in its TLS
> handshakes [RFC4366].
> 
> -- MOTION ENDS --
> 
> The review period for this ballot shall commence at 27 October 2015, and
> will close at 3 November 2015. Unless the motion is withdrawn during the
> review period, the voting period will start immediately thereafter and
> will close at 10 November 2015. Votes must be cast by posting an on-list
> reply to this thread.
> 
> A vote in favor of the motion must indicate a clear 'yes' in the
> response. A vote against must indicate a clear 'no' in the response. A
> vote to abstain must indicate a clear 'abstain' in the response. Unclear
> responses will not be counted. The latest vote received from any
> representative of a voting member before the close of the voting period
> will be counted. Voting members are listed
> here: https://cabforum.org/members/
> <http://scanmail.trustwave.com/?c=4062&d=ka-51kCf_Os3RGew7bJvyGWrti9Z1KLNoWaQ2Lk9Bw&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmembers%2f>
> 
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes
> cast by members in the browser category must be in favor. Quorum is
> currently nine (9) members– at least nine members must participate in
> the ballot, either by voting in favor, voting against, or abstaining.
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the
> sender and destroy the material in its entirety, whether in electronic
> or hard copy format.
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

More information about the Public mailing list