[Servercert-wg] Ballot SC23 v3: Precertificates

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Oct 29 06:48:20 MST 2019


Got it

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP?diff=split


On 29/10/2019 3:40 μ.μ., Wayne Thayer wrote:
> On Mon, Oct 28, 2019 at 11:10 PM Dimitris Zacharopoulos (HARICA) 
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>
>     Wayne,
>
>     Could you possibly send the red-line links that compares the
>     document side-by-side as the "rich diff" doesn't render?
>
>
> As best I can tell, GitHub doesn't allow you to set the display format 
> to "source diff" (side-by-side) via the URL, but the link in the 
> ballot renders as a source diff by default (i.e. when opened in a new 
> private browsing window).
>
>
>     Thank you,
>     Dimitris.
>
>     On 29/10/2019 5:45 π.μ., Wayne Thayer via Servercert-wg wrote:
>>     Here is v3 of the Precertificates ballot, based on Ryan Sleevi's
>>     proposal. This email resets the discussion period as defined below.
>>     ==========================
>>
>>     Ballot SC23 v3: Precertificates
>>
>>
>>     Purpose of Ballot:
>>
>>
>>     This ballot intends to clarify requirements placed on
>>     Precertificates in BR section 4.9.10.
>>
>>
>>     During a lengthy discussion on the mozilla.dev.security.policy
>>     forum [1], it was discovered that BR section 4.9.10 combined with
>>     BR section 7.1.2.5 prevents a CA from responding “good” for a
>>     precertificate. This is a problem because there is no guarantee
>>     that a certificate corresponding to a Precertificate has not been
>>     issued, resulting in root store policies such as [2] that require
>>     CAs to treat the existence of a Precertificate as a presumption
>>     that a corresponding certificate has been issued and thus that a
>>     valid OCSP response is required.
>>
>>
>>     This ballot intends to resolve the problem by clarifying in the
>>     BRs that a CA may provide revocation information for the serial
>>     number contained in a Precertificate.
>>
>>
>>     [1]
>>     https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ
>>
>>     [2]
>>     https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates
>>
>>
>>
>>     The following motion has been proposed by Wayne Thayer of Mozilla
>>     and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of
>>     Sectigo.
>>
>>
>>
>>     -- MOTION BEGINS --
>>
>>
>>     This ballot modifies the “Baseline Requirements for the Issuance
>>     and Management of Publicly-Trusted Certificates” as follows,
>>     based on Version 1.6.6, or based on Version 1.6.6 as modified by
>>     ballot SC24:
>>
>>
>>     ADD a reference to section 1.6.3 of the Baseline Requirements as
>>     defined in the following redline:
>>
>>
>>     https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
>>
>>
>>     REPLACE section 4.9.10 of the Baseline Requirements in its
>>     entirety as defined in the following redline:
>>
>>
>>     https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP
>>
>>
>>     -- MOTION ENDS --
>>
>>
>>     This ballot proposes a Final Maintenance Guideline.
>>
>>
>>     The procedure for approval of this ballot is as follows:
>>
>>
>>     Discussion (7+ days)
>>
>>
>>     Start Time: 3-October 2019 18:00 UTC
>>
>>
>>     End Time: No earlier than 05-November 2019 04:00 UTC
>>
>>
>>     Vote for approval (7 days)
>>
>>
>>     Start Time: TBD
>>
>>
>>     End Time: TBD
>>
>>
>>     _______________________________________________
>>     Servercert-wg mailing list
>>     Servercert-wg at cabforum.org  <mailto:Servercert-wg at cabforum.org>
>>     http://cabforum.org/mailman/listinfo/servercert-wg
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191029/1b63e0b1/attachment-0001.html>


More information about the Servercert-wg mailing list