[cabfpub] Short-Lived Certificate Draft Ballot
kirk_hall at trendmicro.com
kirk_hall at trendmicro.com
Tue Oct 20 15:14:23 MST 2015
Jeremy, I didn’t think the comment period had started - thought you were reformulating your draft. (There are only dates and times of xxxxx at the bottom of your draft).
Can you repost showing when the comment period starts, and when the voting period starts?
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, October 20, 2015 2:56 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Short-Lived Certificate Draft Ballot
Any additional comments before we start the balloting process?
Ballot XXX - Short-Lived Certificates
The following motion has been proposed by Jeremy Rowley of DigiCert and endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.
-- MOTION BEGINS -
Issuance Time: The time at which a Certificate’s digital signature is calculated.
Short-Lived Certificate: A Certificate with a Validity Period less than 96 hours and a notBefore time no earlier than 24 hours before the Issuance Time and a notAfter time no later than 72 hours after the Issuance Time.
Validity Period: The period of time measured from notBefore through notAfter, inclusive. the date when the Certificate is issued until the Expiry Date.
4.9.10. On‐line Revocation Checking Requirements
Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements.
For the status of Subscriber Certificates other than a Short-Lived Certificate containing a cRLDistributionPoints extension: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.
220.127.116.11. Subscriber Certificate
b. cRLDistributionPoints This extension MUST be present for Short-Lived Certificates that lack an authorityInformationAccess extension and MAY be present for all other certificates. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service. See Section 13.2.1 for details.
c. authorityInformationAccess With the exception of stapling and Short-Lived Certificates, which is noted below, this extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 18.104.22.168.22.214.171.124.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 126.96.36.199.188.8.131.52.2).
The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted for Short-Lived Certificates containing a cRLDistributionPoints extension or if Subscriber “staples” OCSP responses for the Certificate in its TLS handshakes [RFC4366].
-- MOTION ENDS -
The review period for this ballot shall commence at XXXXXX, and will close at XXXX. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at XXXX. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/
In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members- at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public