[Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates

Tue Nov 12 11:28:32 MST 2019

Microsoft votes “Yes” on Ballot SC23 V3.  Thanks, Mike

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Wednesday, November 6, 2019 7:02 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates

Purpose of Ballot:

This ballot intends to clarify requirements placed on Precertificates in BR section 4.9.10.

During a lengthy discussion on the mozilla.dev.security.policy forum [1], it was discovered that BR section 4.9.10 combined with BR section 7.1.2.5 prevents a CA from responding “good” for a precertificate. This is a problem because there is no guarantee that a certificate corresponding to a Precertificate has not been issued, resulting in root store policies such as [2] that require CAs to treat the existence of a Precertificate as a presumption that a corresponding certificate has been issued and thus that a valid OCSP response is required.

This ballot intends to resolve the problem by clarifying in the BRs that a CA may provide revocation information for the serial number contained in a Precertificate.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsg%2Fmozilla.dev.security.policy%2FLC_y8yPDI9Q%2FNbOmVB77AQAJ&data=02%7C01%7CMike.reilly%40microsoft.com%7C18207ace21aa409b7f8a08d7632ef449%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637086926601683074&sdata=nUvdg%2F42cBrdADET6eKISxolXsl5lJrYVY59jEz68Rw%3D&reserved=0>

[2] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.mozilla.org%2FCA%2FRequired_or_Recommended_Practices%23Precertificates&data=02%7C01%7CMike.reilly%40microsoft.com%7C18207ace21aa409b7f8a08d7632ef449%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637086926601693067&sdata=hTxT1KhbnV%2FJCeHr%2F4TMSMd8ZqxfFLHMT%2Fh%2BMTJmkk8%3D&reserved=0>

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.

-- MOTION BEGINS --

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:

ADD a reference to section 1.6.3 of the Baseline Requirements as defined in the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2Fmaster%40%257B10-23-19%257D...sleevi%3A2019-10-OCSP&data=02%7C01%7CMike.reilly%40microsoft.com%7C18207ace21aa409b7f8a08d7632ef449%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637086926601693067&sdata=I8A%2FVGCB0%2BdPQJlEFay3lfe4Lx4sep9YeX%2B577RJ%2Bpo%3D&reserved=0>

REPLACE section 4.9.10 of the Baseline Requirements in its entirety as defined in the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2Fmaster%40%257B10-23-19%257D...sleevi%3A2019-10-OCSP&data=02%7C01%7CMike.reilly%40microsoft.com%7C18207ace21aa409b7f8a08d7632ef449%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637086926601703061&sdata=GL0x9tNeNvBCU%2BA9PLDh1CPLQTrk3azNXeOpDwPdja4%3D&reserved=0>

-- MOTION ENDS --

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 3-October 2019 18:00 UTC

End Time: 07-November 2019 03:00 UTC

Vote for approval (7 days)

Start Time: 07-November 2019 03:00 UTC

End Time: 14-November 2019 03:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191112/5759e1ec/attachment-0001.html>