[Servercert-wg] Ballot SC23 v3: Precertificates

Wayne Thayer wthayer at mozilla.com
Mon Oct 28 20:45:13 MST 2019

Here is v3 of the Precertificates ballot, based on Ryan Sleevi's proposal.
This email resets the discussion period as defined below.

Ballot SC23 v3: Precertificates

Purpose of Ballot:

This ballot intends to clarify requirements placed on Precertificates in BR
section 4.9.10.

During a lengthy discussion on the mozilla.dev.security.policy forum [1],
it was discovered that BR section 4.9.10 combined with BR section
prevents a CA from responding “good” for a precertificate. This is a
problem because there is no guarantee that a certificate corresponding to a
Precertificate has not been issued, resulting in root store policies such
as [2] that require CAs to treat the existence of a Precertificate as a
presumption that a corresponding certificate has been issued and thus that
a valid OCSP response is required.

This ballot intends to resolve the problem by clarifying in the BRs that a
CA may provide revocation information for the serial number contained in a



The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.


This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based on Version
1.6.6, or based on Version 1.6.6 as modified by ballot SC24:

ADD a reference to section 1.6.3 of the Baseline Requirements as defined in
the following redline:


REPLACE section 4.9.10 of the Baseline Requirements in its entirety as
defined in the following redline:



This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 3-October 2019 18:00 UTC

End Time: No earlier than 05-November 2019 04:00 UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191028/49ec5afe/attachment.html>

More information about the Servercert-wg mailing list