[Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates

Adriano Santoni adriano.santoni at staff.aruba.it
Thu Nov 14 00:12:50 MST 2019


Actalis votes YES.

Il 07/11/2019 04:02, Wayne Thayer via Servercert-wg ha scritto:
>
> Purpose of Ballot:
>
>
> This ballot intends to clarify requirements placed on Precertificates 
> in BR section 4.9.10.
>
>
> During a lengthy discussion on the mozilla.dev.security.policy forum 
> [1], it was discovered that BR section 4.9.10 combined with BR section 
> 7.1.2.5 prevents a CA from responding “good” for a precertificate. 
> This is a problem because there is no guarantee that a certificate 
> corresponding to a Precertificate has not been issued, resulting in 
> root store policies such as [2] that require CAs to treat the 
> existence of a Precertificate as a presumption that a corresponding 
> certificate has been issued and thus that a valid OCSP response is 
> required.
>
>
> This ballot intends to resolve the problem by clarifying in the BRs 
> that a CA may provide revocation information for the serial number 
> contained in a Precertificate.
>
>
> [1] 
> https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ
>
> [2] 
> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates
>
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and 
> endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.
>
>
>
> -- MOTION BEGINS --
>
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based on 
> Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:
>
>
> ADD a reference to section 1.6.3 of the Baseline Requirements as 
> defined in the following redline:
>
>
> https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
>
>
> REPLACE section 4.9.10 of the Baseline Requirements in its entirety as 
> defined in the following redline:
>
>
> https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
>
>
> -- MOTION ENDS --
>
>
> This ballot proposes a Final Maintenance Guideline.
>
>
> The procedure for approval of this ballot is as follows:
>
>
> Discussion (7+ days)
>
>
> Start Time: 3-October 2019 18:00 UTC
>
>
> End Time: 07-November 2019 03:00 UTC
>
>
> Vote for approval (7 days)
>
>
> Start Time: 07-November 2019 03:00 UTC
>
>
> End Time: 14-November 2019 03:00 UTC
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191114/7b32b090/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4105 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191114/7b32b090/attachment.p7s>


More information about the Servercert-wg mailing list