[Servercert-wg] Ballot SC23 v3: Precertificates

Tue Oct 29 07:38:49 MST 2019

Never mind, I see the text below.  The ordering is just a bit weird.

It would be helpful if the pseudo-definition of the three states appeared above their first use, but I wouldn’t necessarily fix that unless there are other changes.

-Tim

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Tim Hollebeek via Servercert-wg
Sent: Tuesday, October 29, 2019 10:37 AM
To: Wayne Thayer <wthayer at mozilla.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Ballot SC23 v3: Precertificates

Is it clear that the MAY requirement for “reserved” serial numbers does not conflict with the MUST NOT requirements for “unused” serial numbers?  I’m a bit worried it may not be clear that “unused” and “reserved” are non-overlapping sets.

The answer may be yes.

-Tim

From: Servercert-wg <servercert-wg-bounces at cabforum.org <mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Wayne Thayer via Servercert-wg
Sent: Monday, October 28, 2019 11:45 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: [Servercert-wg] Ballot SC23 v3: Precertificates

Here is v3 of the Precertificates ballot, based on Ryan Sleevi's proposal. This email resets the discussion period as defined below.

==========================

Ballot SC23 v3: Precertificates

Purpose of Ballot:

This ballot intends to clarify requirements placed on Precertificates in BR section 4.9.10. 

During a lengthy discussion on the mozilla.dev.security.policy forum [1], it was discovered that BR section 4.9.10 combined with BR section 7.1.2.5 prevents a CA from responding “good” for a precertificate. This is a problem because there is no guarantee that a certificate corresponding to a Precertificate has not been issued, resulting in root store policies such as [2] that require CAs to treat the existence of a Precertificate as a presumption that a corresponding certificate has been issued and thus that a valid OCSP response is required.

This ballot intends to resolve the problem by clarifying in the BRs that a CA may provide revocation information for the serial number contained in a Precertificate.

[1]  <https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ> https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ

[2]  <https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates> https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.

-- MOTION BEGINS --

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:

ADD a reference to section 1.6.3 of the Baseline Requirements as defined in the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP

REPLACE section 4.9.10 of the Baseline Requirements in its entirety as defined in the following redline:

https://github.com/cabforum/documents/compare/master@%7B10-23-19%7D...sleevi:2019-10-OCSP

-- MOTION ENDS --

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 3-October 2019 18:00 UTC

End Time: No earlier than 05-November 2019 04:00 UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191029/01424b50/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191029/01424b50/attachment-0001.p7s>