[Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates
Wayne Thayer
wthayer at mozilla.com
Wed Nov 6 20:02:18 MST 2019
Purpose of Ballot:
This ballot intends to clarify requirements placed on Precertificates in BR
section 4.9.10.
During a lengthy discussion on the mozilla.dev.security.policy forum [1],
it was discovered that BR section 4.9.10 combined with BR section 7.1.2.5
prevents a CA from responding “good” for a precertificate. This is a
problem because there is no guarantee that a certificate corresponding to a
Precertificate has not been issued, resulting in root store policies such
as [2] that require CAs to treat the existence of a Precertificate as a
presumption that a corresponding certificate has been issued and thus that
a valid OCSP response is required.
This ballot intends to resolve the problem by clarifying in the BRs that a
CA may provide revocation information for the serial number contained in a
Precertificate.
[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ
[2]
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates
The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.
-- MOTION BEGINS --
This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based on Version
1.6.6, or based on Version 1.6.6 as modified by ballot SC24:
ADD a reference to section 1.6.3 of the Baseline Requirements as defined in
the following redline:
https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
REPLACE section 4.9.10 of the Baseline Requirements in its entirety as
defined in the following redline:
https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
-- MOTION ENDS --
This ballot proposes a Final Maintenance Guideline.
The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 3-October 2019 18:00 UTC
End Time: 07-November 2019 03:00 UTC
Vote for approval (7 days)
Start Time: 07-November 2019 03:00 UTC
End Time: 14-November 2019 03:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191106/7e375c00/attachment.html>
More information about the Servercert-wg
mailing list