[Servercert-wg] Discussion Begins: Ballot SC24: Fall Cleanup

Ryan Sleevi sleevi at google.com
Thu Oct 24 08:22:26 MST 2019

Wayne, do these work for you? I'll happily make the change (and also open a
proper PR for the draft ballot, into the CABF repo, to make sure it's got a
stable ID)

On Thu, Oct 24, 2019 at 10:47 AM Tim Hollebeek <tim.hollebeek at digicert.com>

> Yes, I’m fine with:
> “Test Certificate: This term is no longer used in these Baseline
> Requirements.”

This works for me.

Wayne, does this meet your goal of providing a sign-post? Did you want to
suggest something stronger?
Jacob: Does this work for you/LE?

> or similar.
> On the SHA-1 requirement in 7.1.3, let me propose some text which might
> make the issue clearer:
> “CAs MUST NOT issue any Subscriber certificates or new Subordinate CA
> certificates using the SHA-1 hash algorithm.  This Section 7.1.3 does not
> apply to Root CA or CA cross certificates. CAs MAY continue to use their
> existing SHA-1 Root Certificates. Subscriber certificates SHOULD NOT chain
> up to a SHA-1 Subordinate CA Certificate.”

As noted on today's validation call, I think we're in agreement that this
opens the door for possible messiness (c.f. the recent discussions around
what a "cross certificate" is - both in the BR sense and the 5280 sense),
but it sounds like the plan is to have a separate ballot to close that.
While I'm not thrilled (since the cleanup ballot does include other
normative changes that better clarify intent, which I think this would be),
I'm on board with tackling this as a ballot immediately after. In terms of
sequencing/timing, and in deference to Jos' hard work on a markdown
cleanup, I think we could sequence such a follow-up ballot to be based on
his work, so that he doesn't have to account for it in his ballot.

Wayne, Jacob: Are you OK with adopting the above language? If so, I can
make the change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/3bb6df2d/attachment.html>

More information about the Servercert-wg mailing list