[cabfpub] Short-Lived Certificate Ballot

Tue Nov 10 07:59:07 UTC 2015

Logius PKIoverheid votes “no”.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, October 27, 2015 5:38 AM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Short-Lived Certificate Ballot

Here’s the official Short-Lived Cert Ballot. The review period starts tomorrow. With the ballot starting on Nov 3.

Ballot 153 – Short-Lived Certificates

The following motion has been proposed by Jeremy Rowley of DigiCert and endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.

-- MOTION BEGINS --

1) Add/revise the following definitions:

Issuance Time: The time at which a Certificate’s digital signature is calculated.

Short-Lived Certificate: A Certificate with a Validity Period less than 96 hours and a notBefore time no earlier than 24 hours before the Issuance Time and a notAfter time no later than 72 hours after the Issuance Time.

Validity Period: The period of time measured from notBefore through notAfter, inclusive. the date when the Certificate is issued until the Expiry Date.

2) Modify Section 4.9.10 as follows:

4.9.10. On‐line Revocation Checking Requirements

Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.

For the status of Subscriber Certificates other than a Short-Lived Certificate containing a cRLDistributionPoints extension: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.

3) Modify Section 7.1.2.3 as follows:

7.1.2.3. Subscriber Certificate …

b. cRLDistributionPoints This extension MUST be present for Short-Lived Certificates that lack an authorityInformationAccess extension and MAY be present for all other certificates. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service. See Section 13.2.1 for details.

c. authorityInformationAccess With the exception of stapling and Short-Lived Certificates, which is noted below, this extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).

The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted for Short-Lived Certificates containing a cRLDistributionPoints extension or if Subscriber “staples” OCSP responses for the Certificate in its TLS handshakes [RFC4366].

-- MOTION ENDS --

The review period for this ballot shall commence at 27 October 2015, and will close at 3 November 2015. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 10 November 2015. Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members– at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

________________________________

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151110/903afb30/attachment-0003.html>