[Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates
Janet Hines
JHines at securetrust.com
Wed Nov 13 13:24:44 MST 2019
SecureTrust votes YES on ballot SC23 V3.
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org>
Reply-To: Wayne Thayer <wthayer at mozilla.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Date: Wednesday, November 6, 2019 at 10:02 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates
Purpose of Ballot:
This ballot intends to clarify requirements placed on Precertificates in BR section 4.9.10.
During a lengthy discussion on the mozilla.dev.security.policy forum [1], it was discovered that BR section 4.9.10 combined with BR section 7.1.2.5 prevents a CA from responding “good” for a precertificate. This is a problem because there is no guarantee that a certificate corresponding to a Precertificate has not been issued, resulting in root store policies such as [2] that require CAs to treat the existence of a Precertificate as a presumption that a corresponding certificate has been issued and thus that a valid OCSP response is required.
This ballot intends to resolve the problem by clarifying in the BRs that a CA may provide revocation information for the serial number contained in a Precertificate.
[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ<https://scanmail.trustwave.com/?c=4062&d=0onD3cP3R34ham32i7RI4g7KMzww_JDCqTwWEZhnqw&s=5&u=https%3a%2f%2fgroups%2egoogle%2ecom%2fd%2fmsg%2fmozilla%2edev%2esecurity%2epolicy%2fLC%5fy8yPDI9Q%2fNbOmVB77AQAJ>
[2] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates<https://scanmail.trustwave.com/?c=4062&d=0onD3cP3R34ham32i7RI4g7KMzww_JDCqTtBFZkzqg&s=5&u=https%3a%2f%2fwiki%2emozilla%2eorg%2fCA%2fRequired%5for%5fRecommended%5fPractices%23Precertificates>
The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.
-- MOTION BEGINS --
This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:
ADD a reference to section 1.6.3 of the Baseline Requirements as defined in the following redline:
https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP<https://scanmail.trustwave.com/?c=4062&d=0onD3cP3R34ham32i7RI4g7KMzww_JDCqTlCFJsx-A&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fcompare%2fmaster%40%257B10-23-19%257D%2e%2e%2esleevi%3a2019-10-OCSP>
REPLACE section 4.9.10 of the Baseline Requirements in its entirety as defined in the following redline:
https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP<https://scanmail.trustwave.com/?c=4062&d=0onD3cP3R34ham32i7RI4g7KMzww_JDCqTlCFJsx-A&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fcompare%2fmaster%40%257B10-23-19%257D%2e%2e%2esleevi%3a2019-10-OCSP>
-- MOTION ENDS --
This ballot proposes a Final Maintenance Guideline.
The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 3-October 2019 18:00 UTC
End Time: 07-November 2019 03:00 UTC
Vote for approval (7 days)
Start Time: 07-November 2019 03:00 UTC
End Time: 14-November 2019 03:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191113/96ada1c5/attachment.html>
More information about the Servercert-wg
mailing list