[Servercert-wg] Discussion Begins: Ballot SC24: Fall Cleanup
Wayne Thayer
wthayer at mozilla.com
Thu Oct 24 11:43:19 MST 2019
On Thu, Oct 24, 2019 at 8:23 AM Ryan Sleevi <sleevi at google.com> wrote:
> Wayne, do these work for you? I'll happily make the change (and also open
> a proper PR for the draft ballot, into the CABF repo, to make sure it's got
> a stable ID)
>
> On Thu, Oct 24, 2019 at 10:47 AM Tim Hollebeek <tim.hollebeek at digicert.com>
> wrote:
>
>> Yes, I’m fine with:
>>
>> “Test Certificate: This term is no longer used in these Baseline
>> Requirements.”
>>
>
> This works for me.
>
> Wayne, does this meet your goal of providing a sign-post? Did you want to
> suggest something stronger?
>
I disagree, for the reasons stated earlier, that my proposed language for
Test Certificate goes beyond the scope of a cleanup ballot. I also feel
that it provides better guidance to CAs. However, for the sake of getting
this ballot done I'll accept Tim's proposal.
Jacob: Does this work for you/LE?
>
>
>> or similar.
>>
>>
>>
>> On the SHA-1 requirement in 7.1.3, let me propose some text which might
>> make the issue clearer:
>>
>> “CAs MUST NOT issue any Subscriber certificates or new Subordinate CA
>> certificates using the SHA-1 hash algorithm. This Section 7.1.3 does not
>> apply to Root CA or CA cross certificates. CAs MAY continue to use their
>> existing SHA-1 Root Certificates. Subscriber certificates SHOULD NOT chain
>> up to a SHA-1 Subordinate CA Certificate.”
>>
>
> As noted on today's validation call, I think we're in agreement that this
> opens the door for possible messiness (c.f. the recent discussions around
> what a "cross certificate" is - both in the BR sense and the 5280 sense),
> but it sounds like the plan is to have a separate ballot to close that.
> While I'm not thrilled (since the cleanup ballot does include other
> normative changes that better clarify intent, which I think this would be),
> I'm on board with tackling this as a ballot immediately after. In terms of
> sequencing/timing, and in deference to Jos' hard work on a markdown
> cleanup, I think we could sequence such a follow-up ballot to be based on
> his work, so that he doesn't have to account for it in his ballot.
>
> Wayne, Jacob: Are you OK with adopting the above language? If so, I can
> make the change.
>
Yes, I accept this change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/27bd2087/attachment.html>
More information about the Servercert-wg
mailing list