[Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates

Rob Stradling rob at sectigo.com
Mon Nov 11 04:03:02 MST 2019


Sectigo votes YES.

On 07/11/2019 03:02, Wayne Thayer via Servercert-wg wrote:
> CAUTION: This email originated from outside of the organization. Do not 
> click links or open attachments unless you recognize the sender and know 
> the content is safe.
> 
> Purpose of Ballot:
> 
> 
> This ballot intends to clarify requirements placed on Precertificates in 
> BR section 4.9.10.
> 
> 
> During a lengthy discussion on the mozilla.dev.security.policy forum 
> [1], it was discovered that BR section 4.9.10 combined with BR section 
> 7.1.2.5 prevents a CA from responding “good” for a precertificate. This 
> is a problem because there is no guarantee that a certificate 
> corresponding to a Precertificate has not been issued, resulting in root 
> store policies such as [2] that require CAs to treat the existence of a 
> Precertificate as a presumption that a corresponding certificate has 
> been issued and thus that a valid OCSP response is required.
> 
> 
> This ballot intends to resolve the problem by clarifying in the BRs that 
> a CA may provide revocation information for the serial number contained 
> in a Precertificate.
> 
> 
> [1] 
> https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ
> 
> [2] 
> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates
> 
> 
> 
> The following motion has been proposed by Wayne Thayer of Mozilla and 
> endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.
> 
> 
> 
> -- MOTION BEGINS --
> 
> 
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based on 
> Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:
> 
> 
> ADD a reference to section 1.6.3 of the Baseline Requirements as defined 
> in the following redline:
> 
> 
> https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
> 
> 
> REPLACE section 4.9.10 of the Baseline Requirements in its entirety as 
> defined in the following redline:
> 
> 
> https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
> 
> 
> -- MOTION ENDS --
> 
> 
> This ballot proposes a Final Maintenance Guideline.
> 
> 
> The procedure for approval of this ballot is as follows:
> 
> 
> Discussion (7+ days)
> 
> 
> Start Time: 3-October 2019 18:00 UTC
> 
> 
> End Time: 07-November 2019 03:00 UTC
> 
> 
> Vote for approval (7 days)
> 
> 
> Start Time: 07-November 2019 03:00 UTC
> 
> 
> End Time: 14-November 2019 03:00 UTC
> 
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
> 

-- 
Rob Stradling
Senior Research & Development Scientist
Email: rob at sectigo.com
Bradford, UK
Office: +441274024707
Sectigo Limited

This message and any files associated with it may contain legally 
privileged, confidential, or proprietary information. If you are not the 
intended recipient, you are not permitted to use, copy, or forward it, 
in whole or in part without the express consent of the sender. Please 
notify the sender by reply email, disregard the foregoing messages, and 
delete it immediately.


More information about the Servercert-wg mailing list