[Servercert-wg] Draft Ballot for Cleanups
Ryan Sleevi
sleevi at google.com
Sat Oct 12 08:27:34 MST 2019
Note: This is not yet a formalized draft ballot, because of the
interactions with SC23 modifying some of the same sections. We'd need to
decide if we want these ballots to run concurrently, which would mean
providing versions both with and without the SC23 changes. Since folks are
still discussing SC23, it seems we should let that discussion finish.
https://github.com/cabforum/documents/compare/master...sleevi:2019-07-Cleanups
can be used to show the comparison of changes so far identified for
cleanups. In particular, these cleanups are the 'non-normative' bits; I'll
send a separate ballot for the cleanups to align the BRs with one or more
existing root program requirements (e.g. where the root program is more
restrictive).
This was an effort from the Validation WG, originally started by Tim
Hollebeek, formerly known as our "Spring Cleaning" ballot :)
The specific list of changes and motivations, along with specific requests
for feedback on some of these points:
To the BRs:
- Correct the authorized port descriptive label (http -> https)
- Correct a few typos (contract -> contact, assigns -> assignees)
- Clarify the Request Token should be documented in the CP/CPS (or a
document referenced from the CP/CPS)
- One potential area of confusion is if folks read it as permitting a
private/internal only document. I wanted to correct this to say
"publicly-available document", but thought it best to check in with folks
on this to see if there were objections. I'll take silence as assent
- Moved the construction examples of a Request Token to the
definition of a Request Token
- Removed the term Test Certificate, as it is no longer used in the BRs
- I'm a little mixed on this change. It's a term no longer used by
the BRs, and so it makes sense to delete from the BRs. However, I worry
that it might lead CAs to inventing their own definition of what a "test
certificate" is (under the premise of Default-Allow vs Default-Deny).
- An alternative, which if we want to pursue I suspect would be a
separate ballot that aligns the BRs with existing Root Program
requirements
(which I'll be sharing shortly), is to remove (i) which is forbidden by
Mozilla since 2016, and only leave the definition (ii) in.
- Correct some of our acronyms
- Remove effective dates that are in the past
- Remove validation methods that are no longer permitted
- Note: This also involves typographical changes to section 3.2.2.4;
the sections were inconsistent in their use of boiler plate, and so this
simply aligned the formatting and line spacing, since this ballot is for
changes that are non-normative in impact
- Pay close attention to 3.2.2.4.4, which tries to address the
concern with how to read "lists of things"; this should be only a
formatting change, but if folks feel otherwise, we should correct
- Corrects some unnecessarily gendered language to be gender-neutral
- Clarify that the usable OIDs in a certificatePolicies are what the CA
documents, and not simply restricted to a CA's own OID arc.
- This is to make it clear that it's fine to use the CABF-defined
OIDs for DV/OV/IV/EV
- Adds the OID for organizationalUnitName, matching the rest of the
Subscriber DN documentation
- Cleanup the algorithm requirements
- Section 6.1.5 is rewritten to reflect what is permitted. This is
especially important to clarify the requirements are about when it's
issued, and not simply the validity period expressed in the certificate.
- Section 7.1.3 is partially rewritten. The MUST NOT is still kept,
even though Section 6.1.5 clearly omits it, in order to avoid
any ambiguity
from folks confused about signature algorithm. Given the confusion around
Default-Allow vs Default-Deny, I can see an argument for
removing that MUST
NOT, so curious folks' take
- It also removes the now-expired grandfathering for OCSP responders.
- That said, I can see confusion resulting from 7.1.3 explicitly
mentioning certificates, and not mentioning OCSP. I'm curious how folks
would feel about rewording this to "CAs MUST NOT sign any data using the
SHA-1 algorithm", which would make it clearer that this also
includes OCSP
responses. This should not be a normative change, but if folks
feel it's ok
to sign OCSP responses with SHA-1, then we can defer that to a separate
ballot and work out the nuances.
To the EVGs:
- Unifies the references to BRs to consistently say Baseline Requirements
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191012/df92e525/attachment.html>
More information about the Servercert-wg
mailing list