[cabfpub] Short-Lived Certificate Draft Ballot

Ben Wilson ben.wilson at digicert.com
Thu Oct 22 06:08:51 MST 2015 

Let’s assign “Ballot 153” to this.  Then I’ll assign Ballot 154 to my
draft of “Convert EV Guidelines to RFC 3647 Framework and GitHub” and
Ballot 155 for “Convert Network and Certificate System Security
Requirements to RFC 3647 Framework and GitHub”.



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Tuesday, October 20, 2015 4:23 PM
To: kirk_hall at trendmicro.com; public at cabforum.org
Subject: Re: [cabfpub] Short-Lived Certificate Draft Ballot



It hasn’t started.  I was wondering if there were any additional comments
before I added it to the wiki and set dates for the comment/ballot period.



From: kirk_hall at trendmicro.com <mailto:kirk_hall at trendmicro.com>
[mailto:kirk_hall at trendmicro.com]
Sent: Tuesday, October 20, 2015 4:14 PM
To: Jeremy Rowley; public at cabforum.org <mailto:public at cabforum.org>
Subject: RE: Short-Lived Certificate Draft Ballot



Jeremy, I didn’t think the comment period had started - thought you were
reformulating your draft.  (There are only dates and times of xxxxx at the
bottom of your draft).



Can you repost showing when the comment period starts, and when the voting
period starts?



From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, October 20, 2015 2:56 PM
To: public at cabforum.org <mailto:public at cabforum.org>
Subject: Re: [cabfpub] Short-Lived Certificate Draft Ballot





Any additional comments before we start the balloting process?



Ballot XXX - Short-Lived Certificates

The following motion has been proposed by Jeremy Rowley of DigiCert and
endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.

-- MOTION BEGINS -

Definitions:



Issuance Time: The time at which a Certificate’s digital signature is
calculated.



Short-Lived Certificate: A Certificate with a Validity Period less than 96
hours and a notBefore time no earlier than 24 hours before the Issuance Time
and a notAfter time no later than 72 hours after the Issuance Time.



Validity Period: The period of time measured from notBefore through
notAfter, inclusive.  the date when the Certificate is issued until the
Expiry Date.



4.9.10. On‐line Revocation Checking Requirements



Effective 1 January 2013, the CA SHALL support an OCSP capability using the
GET method for Certificates issued in accordance with these Requirements.



For the status of Subscriber Certificates other than a Short-Lived
Certificate containing a cRLDistributionPoints extension: The CA SHALL
update information provided via an Online Certificate Status Protocol at
least every four days. OCSP responses from this service MUST have a maximum
expiration time of ten days.



7.1.2.3. Subscriber Certificate

…



b. cRLDistributionPoints This extension MUST be present for Short-Lived
Certificates that lack an authorityInformationAccess extension and MAY be
present for all other certificates. If present, it MUST NOT be marked
critical, and it MUST contain the HTTP URL of the CA’s CRL service. See
Section 13.2.1 for details.



c. authorityInformationAccess With the exception of stapling and
Short-Lived Certificates, which is noted below, this extension MUST be
present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of
the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It
SHOULD also contain the HTTP URL of the Issuing CA’s certificate
(accessMethod = 1.3.6.1.5.5.7.48.2).



The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted for
Short-Lived Certificates containing a cRLDistributionPoints extension or if
Subscriber “staples” OCSP responses for the Certificate in its TLS
handshakes [RFC4366].



-- MOTION ENDS -

The review period for this ballot shall commence at XXXXXX, and will close
at XXXX. Unless the motion is withdrawn during the review period, the voting
period will start immediately thereafter and will close at XXXX. Votes must
be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: https://cabforum.org/members/

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining.






TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151022/eb899b0e/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20151022/eb899b0e/attachment.bin

More information about the Public mailing list