[Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates

Wayne Thayer wthayer at mozilla.com
Wed Nov 6 20:02:18 MST 2019


Purpose of Ballot:

This ballot intends to clarify requirements placed on Precertificates in BR
section 4.9.10.

During a lengthy discussion on the mozilla.dev.security.policy forum [1],
it was discovered that BR section 4.9.10 combined with BR section 7.1.2.5
prevents a CA from responding “good” for a precertificate. This is a
problem because there is no guarantee that a certificate corresponding to a
Precertificate has not been issued, resulting in root store policies such
as [2] that require CAs to treat the existence of a Precertificate as a
presumption that a corresponding certificate has been issued and thus that
a valid OCSP response is required.

This ballot intends to resolve the problem by clarifying in the BRs that a
CA may provide revocation information for the serial number contained in a
Precertificate.

[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ

[2]
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates


The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.


-- MOTION BEGINS --

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based on Version
1.6.6, or based on Version 1.6.6 as modified by ballot SC24:

ADD a reference to section 1.6.3 of the Baseline Requirements as defined in
the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP

REPLACE section 4.9.10 of the Baseline Requirements in its entirety as
defined in the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP

-- MOTION ENDS --

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 3-October 2019 18:00 UTC

End Time: 07-November 2019 03:00 UTC

Vote for approval (7 days)

Start Time: 07-November 2019 03:00 UTC

End Time: 14-November 2019 03:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191106/7e375c00/attachment.html>


More information about the Servercert-wg mailing list