[Servercert-wg] Ballot SC23 v3: Precertificates

Tim Hollebeek tim.hollebeek at digicert.com
Tue Oct 29 07:36:51 MST 2019

Is it clear that the MAY requirement for “reserved” serial numbers does not conflict with the MUST NOT requirements for “unused” serial numbers?  I’m a bit worried it may not be clear that “unused” and “reserved” are non-overlapping sets.


The answer may be yes.




From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Monday, October 28, 2019 11:45 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Ballot SC23 v3: Precertificates


Here is v3 of the Precertificates ballot, based on Ryan Sleevi's proposal. This email resets the discussion period as defined below.


Ballot SC23 v3: Precertificates


Purpose of Ballot:


This ballot intends to clarify requirements placed on Precertificates in BR section 4.9.10. 


During a lengthy discussion on the mozilla.dev.security.policy forum [1], it was discovered that BR section 4.9.10 combined with BR section prevents a CA from responding “good” for a precertificate. This is a problem because there is no guarantee that a certificate corresponding to a Precertificate has not been issued, resulting in root store policies such as [2] that require CAs to treat the existence of a Precertificate as a presumption that a corresponding certificate has been issued and thus that a valid OCSP response is required.


This ballot intends to resolve the problem by clarifying in the BRs that a CA may provide revocation information for the serial number contained in a Precertificate.


[1]  <https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ> https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ

[2]  <https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates


The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.




This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:


ADD a reference to section 1.6.3 of the Baseline Requirements as defined in the following redline:




REPLACE section 4.9.10 of the Baseline Requirements in its entirety as defined in the following redline:






This ballot proposes a Final Maintenance Guideline.


The procedure for approval of this ballot is as follows:


Discussion (7+ days)


Start Time: 3-October 2019 18:00 UTC


End Time: No earlier than 05-November 2019 04:00 UTC


Vote for approval (7 days)


Start Time: TBD


End Time: TBD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191029/b495c971/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191029/b495c971/attachment.p7s>

More information about the Servercert-wg mailing list