[cabfpub] Short-Lived Certificate Ballot

陳立群 realsky at cht.com.tw
Mon Nov 9 10:24:23 UTC 2015

Chunghwa Telecom Co., Ltd.  votes “No”

Sincerely Yours,

                    Li-Chun CHEN

                    Senior Engineer

                    CISSP, CISA, CISM, PMP,

                    Information & Communication Security Dept.

                    Data Communication Business Group

                    Chunghwa Telecom Co. Ltd.

                    realsky at cht.com.tw


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Tuesday, October 27, 2015 5:38 AM
To: public at cabforum.org
Subject: [cabfpub] Short-Lived Certificate Ballot

Here’s the official Short-Lived Cert Ballot. The review period starts
tomorrow. With the ballot starting on Nov 3.

Ballot 153 - Short-Lived Certificates

The following motion has been proposed by Jeremy Rowley of DigiCert and
endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.


1) Add/revise the following definitions:

Issuance Time: The time at which a Certificate’s digital signature is

Short-Lived Certificate: A Certificate with a Validity Period less than 96
hours and a notBefore time no earlier than 24 hours before the Issuance Time
and a notAfter time no later than 72 hours after the Issuance Time.

Validity Period: The period of time measured from notBefore through
notAfter, inclusive. the date when the Certificate is issued until the
Expiry Date.

2) Modify Section 4.9.10 as follows:

4.9.10. On‐line Revocation Checking Requirements

Effective 1 January 2013, the CA SHALL support an OCSP capability using the
GET method for Certificates issued in accordance with these Requirements.

For the status of Subscriber Certificates other than a Short-Lived
Certificate containing a cRLDistributionPoints extension: The CA SHALL
update information provided via an Online Certificate Status Protocol at
least every four days. OCSP responses from this service MUST have a maximum
expiration time of ten days.

3) Modify Section as follows: Subscriber Certificate …

b. cRLDistributionPoints This extension MUST be present for Short-Lived
Certificates that lack an authorityInformationAccess extension and MAY be
present for all other certificates. If present, it MUST NOT be marked
critical, and it MUST contain the HTTP URL of the CA’s CRL service. See
Section 13.2.1 for details.

c. authorityInformationAccess With the exception of stapling and Short-Lived
Certificates, which is noted below, this extension MUST be present. It MUST
NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’
s OCSP responder (accessMethod = It SHOULD also contain
the HTTP URL of the Issuing CA’s certificate (accessMethod =

The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted for
Short-Lived Certificates containing a cRLDistributionPoints extension or if
Subscriber “staples” OCSP responses for the Certificate in its TLS
handshakes [RFC4366].


The review period for this ballot shall commence at 27 October 2015, and
will close at 3 November 2015. Unless the motion is withdrawn during the
review period, the voting period will start immediately thereafter and will
close at 10 November 2015. Votes must be cast by posting an on-list reply to
this thread.

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here:  <https://cabforum.org/members/>

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/95421141/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6575 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151109/95421141/attachment-0001.p7s>

More information about the Public mailing list