[Servercert-wg] Ballot SC23 V3: Precertificates

Peter Miškovič Peter.Miskovic at disig.sk
Tue Nov 12 08:24:43 MST 2019

Disig votes "Yes" on Ballot SC23 V3: Precertificates.


-----Original Message-----
From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of servercert-wg-request at cabforum.org
Sent: Thursday, November 7, 2019 7:37 AM
To: servercert-wg at cabforum.org
Subject: Servercert-wg Digest, Vol 17, Issue 21

Send Servercert-wg mailing list submissions to
	servercert-wg at cabforum.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	servercert-wg-request at cabforum.org

You can reach the person managing the list at
	servercert-wg-owner at cabforum.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Servercert-wg digest..."

Today's Topics:

   1. Voting Begins: Ballot SC23 V3: Precertificates (Wayne Thayer)
   2. Identity in browser UIs (Scott Rea)


Message: 1
Date: Wed, 6 Nov 2019 20:02:18 -0700
From: Wayne Thayer <wthayer at mozilla.com>
To: "CA/B Forum Server Certificate WG Public Discussion List"
	<servercert-wg at cabforum.org>
Subject: [Servercert-wg] Voting Begins: Ballot SC23 V3:
	<CAJE6Z6fYYrTHuQGA0e0FiF59wjHrAM-CfQ1FfE50tTtkvrV-6w at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Purpose of Ballot:

This ballot intends to clarify requirements placed on Precertificates in BR section 4.9.10.

During a lengthy discussion on the mozilla.dev.security.policy forum [1], it was discovered that BR section 4.9.10 combined with BR section prevents a CA from responding ?good? for a precertificate. This is a problem because there is no guarantee that a certificate corresponding to a Precertificate has not been issued, resulting in root store policies such as [2] that require CAs to treat the existence of a Precertificate as a presumption that a corresponding certificate has been issued and thus that a valid OCSP response is required.

This ballot intends to resolve the problem by clarifying in the BRs that a CA may provide revocation information for the serial number contained in a Precertificate.



The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.


This ballot modifies the ?Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates? as follows, based on Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:

ADD a reference to section 1.6.3 of the Baseline Requirements as defined in the following redline:


REPLACE section 4.9.10 of the Baseline Requirements in its entirety as defined in the following redline:



This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 3-October 2019 18:00 UTC

End Time: 07-November 2019 03:00 UTC

Vote for approval (7 days)

Start Time: 07-November 2019 03:00 UTC

End Time: 14-November 2019 03:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191106/7e375c00/attachment-0001.html>


Message: 2
Date: Thu, 7 Nov 2019 06:36:23 +0000
From: Scott Rea <Scott.Rea at darkmatter.ae>
To: CA/B Forum Server Certificate WG Public Discussion List
	<servercert-wg at cabforum.org>
Subject: [Servercert-wg] Identity in browser UIs
Message-ID: <06bc1a3fd8994befb42630762f291d62 at darkmatter.ae>
Content-Type: text/plain; charset="utf-8"

G?day Folks,

I listened to Chris? presentation today at the CABF F2F 48. There are a couple of things I am not clear on?

1.      What are the list of WG?s that Browsers are already participating in where Identity UI is being discussed? Can the participating Browsers please post a list of WG?s or forums they are participating in where this is discussed?

2.      Secondary to the above, which of these are potentially open to CAs participating in them?

3.      If CABF previously voted to stop work on coordinating Identity UIs, it would be good to understand the context for that decision ? and I understand that potentially Ryan may be able to provide the documentation for this.

4.      In respect to the alleged decision from #3 above, or any decision the CABF has made in the past, is there some prohibition in our by-laws that stops us from ever discussing it in future?? If the membership wants to take a fresh look at this particular issue/opportunity, aren?t we free to do so?

5.      If there are forums where this is being discussed today, wouldn?t it be more efficient to coalesce an Industry perspective in CABF and then send a representative to those forums to convey that perspective rather than waiting for individual players to show up piecemeal to provide their perspectives.

I don?t have the historical context of the decision to work on this issue or not work on it, but it certainly seems to be a hot topic of interest today, and I am wondering if there is support for this in the CABF, why we can?t proceed to seek to address this like any other issue we identify?


Scott Rea
        Senior Vice President - Trust Services

[cid:imagef90f68.PNG at e8ecb06e.44a0647a]<http://www.darkmatter.ae>

Level 15, Aldar HQ
Abu Dhabi, United Arab Emirates
T  +971 2 417 1417<tel:+971%202%20417%201417> M +971 52 847 5093<tel:+971%2052%20847%205093> E  Scott.Rea at darkmatter.ae<mailto:Scott.Rea at darkmatter.ae>


[Linkedin]<https://www.linkedin.com/company/dark-matter-llc> [Twitter] <https://twitter.com/GuardedbyGenius>
 [Year of Tolerance] <http://>  [expo]

The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191107/03f89ecc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: imagef90f68.PNG
Type: image/png
Size: 5249 bytes
Desc: imagef90f68.PNG
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191107/03f89ecc/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image3189a7.PNG
Type: image/png
Size: 663 bytes
Desc: image3189a7.PNG
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191107/03f89ecc/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image4b814d.PNG
Type: image/png
Size: 803 bytes
Desc: image4b814d.PNG
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191107/03f89ecc/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image334b20.JPG
Type: image/jpeg
Size: 33601 bytes
Desc: image334b20.JPG
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191107/03f89ecc/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image3f517c.JPG
Type: image/jpeg
Size: 22669 bytes
Desc: image3f517c.JPG
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191107/03f89ecc/attachment-0001.jpe>


Subject: Digest Footer

Servercert-wg mailing list
Servercert-wg at cabforum.org


End of Servercert-wg Digest, Vol 17, Issue 21

More information about the Servercert-wg mailing list