[cabfpub] Ballot 151

Thu Sep 24 16:08:20 UTC 2015

StartCom votes YES.

On 09/14/2015 10:11 PM, Dean Coclin wrote:
>
> Due to the confusion as to the voting period on ballot 150, it failed 
> for lack of quorum. We are therefore submitting this as a new ballot. 
> The discussion period begins today followed by voting per the schedule 
> below.  We believe we have captured all the comments but if you have 
> others, please feel free to remark.
>
> **
>
> *Ballot 151- Revised Addition of Optional OIDs for Indicating Level of 
> Validation*
>
>  The following motion has been proposed by Dean Coclin of Symantec and 
> endorsed by Jeremy Rowley of Digicert and Kirk Hall of Trend Micro.
>
> -- MOTION BEGINS --
>
> 1)Modify section 1.2 of Baseline Requirements as follows:
>
> *1.2 Document Name and Identification*
>
> This certificate policy (CP) contains the requirements for the 
> issuance and management of publicly-trusted SSL certificates, as 
> adopted by the CA/Browser Forum.
>
> The following Certificate Policy identifiers are reserved for use by 
> CAs as an optional means of asserting compliance with this CP (OID arc 
> 2.23.140.1.2) as follows:
>
> {joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) baseline- 
> requirements(2) domain-validated(1)} (2.23.140.1.2.1);
>
> {joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) baseline- 
> requirements(2) organization-validated(2)} (2.23.140.1.2.2) and
>
> _{joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) baseline- 
> requirements(2) individual-validated(3)} (2.23.140.1.2.3)._
>
> 2)Modify section 7.1.6.1 of the Baseline Requirements as follows:
>
> **
>
> *7.1.6.1. Reserved Certificate Policy Identifiers *
>
> This section describes the content requirements for the Root CA, 
> Subordinate CA, and Subscriber Certificates, as they relate to the 
> identification of Certificate Policy.
>
> The following Certificate Policy identifiers are reserved for use by 
> CAs as an optional means of asserting compliance with these 
> Requirements as follows:
>
> {joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) baseline-requirements(2) 
> domain-validated(1)} (2.23.140.1.2.1), if the Certificate complies 
> with these Requirements but lacks Subject Identity Information that is 
> verified in accordance with either Section 3.2.2.1 _or Section 3.2.3_.
>
> If the Certificate asserts the policy identifier of 2.23.140.1.2.1, 
> then it MUST NOT include organizationName, givenName, surname, 
> streetAddress, localityName, stateOrProvinceName, or postalCode in the 
> Subject field.
>
> {joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) baseline-requirements(2) 
> organization-validated(2)} (2.23.140.1.2.2), if the Certificate 
> complies with these Requirements and includes Subject Identity 
> Information that is verified in accordance with Section 3.2.2.1.
>
> _{joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) baseline-requirements(2) 
> individual-validated(3)} (2.23.140.1.2.3), if the Certificate complies 
> with these Requirements and includes Subject Identity Information that 
> is verified in accordance with Section 3.2.3._
>
> __
>
> If the Certificate asserts the policy identifier of 2.23.140.1.2.2, 
> then it MUST also include organizationName, localityName _(to the 
> extent such field is required under Section 7.1.4.2.2)_, 
> stateOrProvinceName _(to the extent such field is required under 
> Section 7.1.4.2.2_), and countryName in the Subject field. _If the 
> Certificate asserts the policy identifier of 2.23.140.1.2.3, then it 
> MUST also include (i) either organizationName or givenName and 
> surname, (ii) localityName (to the extent such field is required under 
> Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required 
> under Section 7.1.4.2.2), and (iv) countryName in the Subject field._
>
> 3)Modify the definition of "EV OID" in the EV Guidelines as follows:
>
> *EV OID*: An identifying number, in the form of an "object 
> identifier," that is included in the certificatePolicies field of a 
> certificate that: (i) indicates which CA policy statement relates to 
> that certificate, and (ii) _is either the CA/Browser Forum EV policy 
> identifier or a  policy identifier that_, by pre-agreement with one or 
> more Application Software Supplier, marks the certificate as being an 
> EV Certificate.
>
> 4)Modify Section 9.3.2 of the EV Guidelines as follows:
>
> Each EV Certificate issued by the CA to a Subscriber MUST contain a 
> policy identifier _that is either_ defined by _these Guidelines or 
> _the CA in the certificate's certificatePolicies extension that: (i) 
> indicates which CA policy statement relates to that Certificate, (ii) 
> asserts the CA's adherence to and compliance with these Guidelines, 
> and (iii), _is either the CA/Browser Forum's EV policy identifier or a 
> policy identifier that, _by pre-agreement with the Application 
> Software Supplier, marks the Certificate as being an EV Certificate.
>
> _The following Certificate Policy identifier is the CA/Browser Forum's 
> EV policy identifier: _
>
> _{joint-iso-itu-t(2) international-organizations(23) 
> ca-browser-forum(140) certificate-policies(1) ev-guidelines (1) } 
> (2.23.140.1.1), if the Certificate complies with these Guidelines._
>
> If the ballot passes, the custodian of the Forum OIDs will be 
> instructed to obtain the new OID for IV as indicated above.
>
> -- MOTION ENDS --
>
> The review period for this ballot shall commence at 2200 UTC on 
> Monday, September 14, 2015, and will close at 2200 UTC on Monday, 
> September 21, 2015. Unless the motion is withdrawn during the review 
> period, the voting period will start immediately thereafter and will 
> close at 2200 UTC on Monday, September 28, 2015. Votes must be cast by 
> posting an on-list reply to this thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the 
> response. A vote against must indicate a clear 'no' in the response. A 
> vote to abstain must indicate a clear 'abstain' in the response. 
> Unclear responses will not be counted. The latest vote received from 
> any representative of a voting member before the close of the voting 
> period will be counted. Voting members are listed here: 
> https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes 
> cast by members in the CA category and greater than 50% of the votes 
> cast by members in the browser category must be in favor. Quorum is 
> currently nine (9) members-- at least nine members must participate in 
> the ballot, either by voting in favor, voting against, or abstaining.
>
> Dean Coclin
>
> Chair CA/B Forum
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-- 
Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150924/c7ddb7f9/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150924/c7ddb7f9/attachment-0001.p7s>