[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Ryan Sleevi sleevi at google.com
Wed Oct 9 13:17:28 MST 2019

On Wed, Oct 9, 2019 at 4:09 PM Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:

> Hi Ryan,
> My understanding was that the ballot was being proposed as it has been
> determined that there is a problem with how some CAs are currently status
> is provided for precertificates. I agree that this needs to be fixed. I
> brought up the issue as the ballot does not provide significant time for a
> CA to fix the problem if they have the problem.
> If this ballot was proposed similar to ballot SC21 which stated “to be
> EFFECTIVE ninety (90) days after completion of the IPR Review Period”, then
> there would probably have been no discussion.

I think it's a useful question, but I don't think it's a question for the
Forum. That's something you should raise with the Root Programs, if you're
worried about non-compliance.

This ballot simply makes things more permissive, in a way that is clearer
as to the intent (discussed back when it was originally introduced), to
provide assurance to CAs that the requirements placed on them by Root
Programs do not conflict with their expectations. Again, there are totally
valid ways to read the existing Root Programs as having no conflict with
the BRs, as written today, and suggesting this Ballot is entirely
unnecessary. However, much like Ballot 134 sought to provide assurance,
particularly to CAs' auditors, that this was both expected and accepted,
the proposed ballot here, SC23, provides clarity that certain things are
permitted, and not forbidden.

Whether or not those permitted things are required, however, is a
discussion for the Root Program. This Ballot doesn't make anything new
required. That's why, from both an IP perspective and a phase in, it's no

The comparable ballots might be Ballot 134, which had no phase-in, or
Ballots SC16, which had no phase-in, or Ballots SC13, SC14, SC17 and SC19 -
none of which had phase-ins for being clearer about the things permitted.

The comparison to Ballot SC21 is not a good comparison, because Ballot SC21
actually imposes new requirements, as noted within the Ballot itself. As I
mentioned, this doesn't, and like the many clarification or permissiveness
Ballots that Entrust has voted on in the past, it should seem to be of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191009/ee7f5a0f/attachment-0001.html>

More information about the Servercert-wg mailing list