[cabfpub] Notice of Review Period - Ballot 189
Kirk Hall
Kirk.Hall at entrustdatacard.com
Fri Apr 14 17:24:47 UTC 2017
NOTICE OF REVIEW PERIOD - BALLOT 189
This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's Intellectual Property Rights Policy (v1.2). This Review Period is for Final Maintenance Guidelines (30 day Review Period). A complete draft of the Draft Guideline that is the subject of this Review Notice is attached.
Date Review Notice Sent: April 14, 2017
Ballot for Review: Ballot 189
Start of Review Period: April 14, 2017 at 22:00 UTC
End of Review Period: May 14, 2017 at 22:00 UTC
Note: Assuming no Exclusion Notices are filed, we will substitute the date "August 14, 2017" for the words "3 months after the ballot passes" in the updated Baseline Requirements as follows:
"Effective 3 months after the ballot passes August 14, 2017, Certificates for Time Stamping end-entity Certificates SHALL NOT be directly issued from these Root Certificates."
Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to kirk.hall at entrustdatacard.com<mailto:kirk.hall at entrustdatacard.com> before the end of the Review Period. See current version of CA/Browser Forum Intellectual Property Rights Policy for details.
(Optional form of Exclusion Notice is attached)
Ballot 189 - Amend Section 6.1.7 of Baseline Requirements
-- MOTION BEGINS --
Current section 6.1.7
Root CA Private Keys MUST NOT be used to sign Certificates except in the following cases:
1. Self-signed Certificates to represent the Root Certificate itself;
2. Certificates for Subordinate CAs and Cross Certificates;
3. Certificates for infrastructure purposes (e.g. administrative role certificates, internal CA operational device certificates, and OCSP Response verification Certificates);
4. Certificates issued solely for the purpose of testing products with Certificates issued by a Root CA; and
5. Subscriber Certificates, provided that:
* The Root CA uses a 1024-bit RSA signing key that was created prior to the Effective Date;
* The Applicant's application was deployed prior to the Effective Date;
* The Applicant's application is in active use by the Applicant or the CA uses a documented process to establish that the Certificate's use is required by a substantial number of Relying Parties;
* The CA follows a documented process to determine that the Applicant's application poses no known security risks to Relying Parties;
* The CA documents that the Applicant's application cannot be patched or replaced without substantial economic outlay.
* The CA signs the Subscriber Certificate on or before June 30, 2016; and
* The notBefore field in the Subscriber Certificate has a date on or before June 30, 2016
Proposed section 6.1.7
Private Keys corresponding to Root Certificates that participate in a hierarchy that issues Certificates with an extKeyUsage extension that includes the value id-kp-serverAuth [RFC5280] MUST NOT be used to sign Certificates except in the following cases:
1. Self-signed Certificates to represent the Root CA itself;
2. Certificates for Subordinate CAs and Cross Certificates;
3. Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates)
4. Certificates for OCSP Response verification;
Effective 3 months after the ballot passes, Certificates for Time Stamping end-entity Certificates SHALL NOT be directly issued from these Root Certificates.
-- MOTION ENDS --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/56625ff7/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot 189 - Review Notice and Exclusion Notice Template.pdf
Type: application/pdf
Size: 498046 bytes
Desc: Ballot 189 - Review Notice and Exclusion Notice Template.pdf
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/56625ff7/attachment-0002.pdf>
More information about the Public
mailing list