[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Ryan Sleevi sleevi at google.com
Tue Oct 8 15:53:22 MST 2019

I should note, in the event the subtlety is lost:

This Ballot (SC23) does not place any new requirements on CAs. It does not
require any changes on CAs part, and as such, is, from the point of view of
the Baseline Requirements, what we might call a "no-op".

It does, however, resolve an issue with language that some CAs have read as
creating a conflict between existing Root Program requirements and the
Baseline Requirements. That is, Root Programs require one thing, and an
interpretation of Ballot 134 has been advanced that CAs are prohibited from
complying with Root Program requirements and the BRs simultaneously. While
that's seen spirited debate about the merits of that, this change avoids
any confusion, by ensuring that the language in the BRs is consistent with
the intent (as advanced during Ballot 134) and consistent with the existing
requirements or expectations of Root Programs.

So the question of "when" is a question to be discussed directly with the
Root Programs. A delay, for example, of six months, merely means that CAs
may, if they adopt the interpretation that the BRs prohibit compliance with
the Root Program, be either out of compliance with a Root Program for six
months or out of compliance with the BRs. Neither would seem desirable for

Those are the changes to 4.9.10. They do not require something more strict:
they permit something more liberal, which is what (some) Root Programs
require, and which the other interpretations fully permit.

Additionally, it closes a loophole in interpretation in This
"loophole" is already prohibited by Root Programs; however, the imprecise
wording has led to some confusion that something is permitted by the BRs,
even though it is forbidden by (some) Root Programs. This again clarifies.

Thus, it can/should be seen similar in nature to Ballot 134, which lacked
an effective date, because it made the BRs more permissive, rather than
more restrictive.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191008/32434804/attachment.html>

More information about the Servercert-wg mailing list