[Servercert-wg] Spring is here. So is a cleanup and clarification ballot
Doug Beattie
doug.beattie at globalsign.com
Thu Apr 2 06:12:03 MST 2020
Ryan,
The clean-up ballot is a good idea and I agree with the vast majority of your changes.
For the Browser Alignment ballot, we need to be careful that we don’t apply rules to all Roots which are only driven by one Root program. CAs may have roots embedded into a subset of all programs and we don’t want one Root program’s rules to necessarily apply to all roots in all programs.
One example is ECC P-521. This is permitted in Microsoft but not by Mozilla, so it should not be added to the clean-up” ballot unless MS changes their program. Even then, some other programs may permit this and depend on it in some cases (although I have no proof this is the case). Same goes for changing the maximum validity period to 398 days. We might consider pulling a root from the Apple trust store to permit issuance of 2 year certificates for customers that don’t need to support Apple products.
The same goes for signing algorithms. It might be the case that some regions (China?) wants to use different algorithms not permitted by Google and Mozilla, but that other root programs do support and where a WT audit is needed. Again, I don’t know of a specific case, but let’s be careful about which items we pull from the root programs and make mandatory for ALL root programs.
I’d focus on the less controversial items in this round and then tackle the harder ones later.
Doug
From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Servercert-wg
Sent: Wednesday, April 1, 2020 5:14 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Spring is here. So is a cleanup and clarification ballot
No, this isn't an April 1 prank. I've gone through https://github.com/cabforum/documents/issues and tried to address the outstanding issues we have there around cleanups and clarifications.
On the latter point, the intent of a clarification is first and foremost "Clarify an existing /implicit/ requirement by making it /explicit", and then secondarily "Clarify the logical consequences of an existing requirement".
I realize some of these may be more or less exciting, so I've crafted a draft pull request in my repository first, to allow discussion and feedback prior to kicking off a proper ballot. This is to allow folks to review and discuss the shape of things first, and to find co-sponsors.
Note that there are other draft ballot similarly looking for feedback and/or co-sponsorship, so I'm including the full list here:
* https://github.com/sleevi/cabforum-docs/pull/10 - Browser Alignment
* Status: This is waiting for an additional update to incorporate lifetimes now that https://support.apple.com/en-us/HT211025 is published, as well as possibly being updated for Mozilla Policy 2.7.1 (depending on when discussions may begin)
* https://github.com/sleevi/cabforum-docs/pull/11 - Agency of Registration / Agency of Incorporation disclosure
* This was discussed on the 27 Feb Validation Subcommittee call, as reflected in the minutes <https://cabforum.org/pipermail/validation/2020-March/001417.html> , and attempts to keep forward momentum in building better consensus and/or understanding on appropriate data sources.
* https://github.com/sleevi/cabforum-docs/pull/12 - Spring Cleanups and Clarifications
* Saving the best for last. This is what this message is about.
In each of these, I tried to include the rationale and/or reference within the commit messages. You can click the little "..." expando next to any of the Commits (on the main view or on the Commits tab) to read more details, supporting links, and documentation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200402/667fe4bd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5701 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200402/667fe4bd/attachment-0001.p7s>
More information about the Servercert-wg
mailing list