[Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates

Thu Nov 14 05:45:11 MST 2019

Izenpe votes YES on ballot SC23 v3

Oscar García Jimeno
Segurtasun Arduraduna
Responsable Seguridad
o-garcia at izenpe.eus<mailto:o-garcia at izenpe.eus>

[firma_email_Izenpe_eus]
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezuak badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzunez.
ATENCION! Este mensaje contiene información privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceríamos que no hiciera uso de la información y que se pusiese en contacto con el remitente.

De: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] En nombre de Wayne Thayer via Servercert-wg
Enviado el: jueves, 7 de noviembre de 2019 4:02
Para: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Asunto: [Servercert-wg] Voting Begins: Ballot SC23 V3: Precertificates

Purpose of Ballot:

This ballot intends to clarify requirements placed on Precertificates in BR section 4.9.10.

During a lengthy discussion on the mozilla.dev.security.policy forum [1], it was discovered that BR section 4.9.10 combined with BR section 7.1.2.5 prevents a CA from responding “good” for a precertificate. This is a problem because there is no guarantee that a certificate corresponding to a Precertificate has not been issued, resulting in root store policies such as [2] that require CAs to treat the existence of a Precertificate as a presumption that a corresponding certificate has been issued and thus that a valid OCSP response is required.

This ballot intends to resolve the problem by clarifying in the BRs that a CA may provide revocation information for the serial number contained in a Precertificate.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ

[2] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.

-- MOTION BEGINS --

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:

ADD a reference to section 1.6.3 of the Baseline Requirements as defined in the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP

REPLACE section 4.9.10 of the Baseline Requirements in its entirety as defined in the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP

-- MOTION ENDS --

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 3-October 2019 18:00 UTC

End Time: 07-November 2019 03:00 UTC

Vote for approval (7 days)

Start Time: 07-November 2019 03:00 UTC

End Time: 14-November 2019 03:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191114/94443c87/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9569 bytes
Desc: image001.jpg
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191114/94443c87/attachment-0001.jpg>