[Servercert-wg] [EXTERNAL] Ballot SC23 v3: Precertificates

Bruce Morton Bruce.Morton at entrustdatacard.com
Tue Oct 29 08:10:28 MST 2019

Hi Wayne,

Do you still intend to propose an effective date of 1 March 2020?

Thanks, Bruce.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Monday, October 28, 2019 11:45 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL][Servercert-wg] Ballot SC23 v3: Precertificates

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
Here is v3 of the Precertificates ballot, based on Ryan Sleevi's proposal. This email resets the discussion period as defined below.

Ballot SC23 v3: Precertificates

Purpose of Ballot:

This ballot intends to clarify requirements placed on Precertificates in BR section 4.9.10.

During a lengthy discussion on the mozilla.dev.security.policy forum [1], it was discovered that BR section 4.9.10 combined with BR section prevents a CA from responding “good” for a precertificate. This is a problem because there is no guarantee that a certificate corresponding to a Precertificate has not been issued, resulting in root store policies such as [2] that require CAs to treat the existence of a Precertificate as a presumption that a corresponding certificate has been issued and thus that a valid OCSP response is required.

This ballot intends to resolve the problem by clarifying in the BRs that a CA may provide revocation information for the serial number contained in a Precertificate.

[1] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ

[2] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates

The following motion has been proposed by Wayne Thayer of Mozilla and endorsed by Jeremy Rowley of DigiCert and Rob Stradling of Sectigo.


This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.6.6, or based on Version 1.6.6 as modified by ballot SC24:

ADD a reference to section 1.6.3 of the Baseline Requirements as defined in the following redline:


REPLACE section 4.9.10 of the Baseline Requirements in its entirety as defined in the following redline:



This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 3-October 2019 18:00 UTC

End Time: No earlier than 05-November 2019 04:00 UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191029/7156a788/attachment.html>

More information about the Servercert-wg mailing list