[cabfpub] Short-Lived Certificate Ballot
eddy_nigg at startcom.org
Thu Nov 5 10:52:08 UTC 2015
On 10/26/2015 11:38 PM, Jeremy Rowley wrote:
> Here's the official Short-Lived Cert Ballot. The review period starts
> tomorrow. With the ballot starting on Nov 3.
> *Ballot 153 -- Short-Lived Certificates*
> The following motion has been proposed by Jeremy Rowley ofDigiCertand
> endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.
> -- MOTION BEGINS --
> 1) Add/revise the following definitions:
> _Issuance Time: The time at which a Certificate's digital signature is
> _Short-Lived Certificate: A Certificate with a Validity Period less
> than 96 hours and a notBefore time no earlier than 24 hours before the
> Issuance Time and a notAfter time no later than 72 hours after the
> Issuance Time._
> Validity Period: The period of timemeasuredfrom_notBefore through
> notAfter, inclusive_.the date when the Certificate is issued until the
> Expiry Date.
> 2) Modify Section 4.9.10 as follows:
> 4.9.10. On-line Revocation Checking Requirements
> Effective 1 January 2013, the CA SHALL support an OCSP capability
> using the GET method for Certificates issued in accordance with these
> For the status of Subscriber Certificates_other than a Short-Lived
> Certificate containing a cRLDistributionPoints extension_: The CA
> SHALL update information provided via an Online Certificate Status
> Protocol at least every four days. OCSP responses from this service
> MUST have a maximum expiration time of ten days.
> 3) Modify Section 220.127.116.11 as follows:
> 18.104.22.168. Subscriber Certificate...
> b. cRLDistributionPoints This extension_MUST be present for
> Short-Lived Certificates that lack an authorityInformationAccess
> extension and_MAY be present for all other certificates. If present,
> it MUST NOT be marked critical, and it MUST contain the HTTP URL of
> the CA's CRL service. See Section 13.2.1 for details.
> c. authorityInformationAccess With the exception of stapling_and
> Short-Lived Certificates_,which is noted below, this extension MUST be
> present. It MUST NOT be marked critical, and it MUST contain the HTTP
> URL of the Issuing CA's OCSP responder (accessMethod =
> 22.214.171.124.126.96.36.199.1). It SHOULD also contain the HTTP URL of the
> Issuing CA's certificate (accessMethod = 188.8.131.52.184.108.40.206.2).
> The HTTP URL of the Issuing CA's OCSP responder MAY be omitted_for
> Short-Lived Certificates containing a cRLDistributionPoints extension
> or if_Subscriber "staples" OCSP responses for the Certificate in its
> TLS handshakes [RFC4366].
> -- MOTION ENDS --
> The review period for this ballot shall commence at 27 October 2015,
> and will close at 3 November 2015. Unless the motion is withdrawn
> during the review period, the voting period will start immediately
> thereafter and will close at 10 November 2015. Votes must be cast by
> posting an on-list reply to this thread.
> A vote in favor of the motion must indicate a clear 'yes' in the
> response. A vote against must indicate a clear 'no' in the response. A
> vote to abstain must indicate a clear 'abstain' in the response.
> Unclear responses will not be counted. The latest vote received from
> any representative of a voting member before the close of the voting
> period will be counted. Voting members are listed
> In order for the motion to be adopted, two thirds or more of the votes
> cast by members in the CA category and greater than 50% of the votes
> cast by members in the browser category must be in favor. Quorum is
> currently nine (9) members-- at least nine members must participate in
> the ballot, either by voting in favor, voting against, or abstaining.
> Public mailing list
> Public at cabforum.org
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
More information about the Public