[Servercert-wg] Updated Draft for Browser Alignment

Ryan Sleevi sleevi at google.com
Mon Mar 16 08:46:36 MST 2020


Also BCC'ing the validation WG, although this had been circulated before.

Looking for endorsers and looking for root stores to affirmatively confirm
this matches their root program requirements :)

On Thu, Mar 5, 2020 at 11:31 AM Ryan Sleevi <sleevi at google.com> wrote:

> Hi all,
>
> As mentioned on the servercert-wg@ call today, I've updated the draft
> ballot to align the BRs with existing Root Program Requirements, hopefully
> up to date with every Root Program change announced at the Bratislava F2F.
> The one exception to that is I have not added
> https://support.apple.com/en-us/HT211025 yet, as it wasn't yet published
> when I did the alignment pass.
>
> The readline against 1.6.7 (I haven't yet merged in the recent 1.6.8
> changes) is at
> https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment
>
> I tried to explain the source of the requirements in the commits, which
> try to incorporate:
>
>    - Mozilla Root Store Policy 2.7
>    https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
>    - Microsoft Trusted Root Program (as updated 2020-02-04) -
>    https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
>
>    - Common CCADB Policy 1.1 - https://www.ccadb.org/policy
>
> If I've missed requirements, or misinterpreted, please feel free to
> highlight :) The subtleties, in particular, around Mozilla's permitted
> SHA-1 issuance (which is more restrictive than the BRs in a number of
> useful ways), were a bit more complex to capture in an objective, technical
> way.
>
> As I mentioned, it's possible that root stores had reached private
> understandings with CAs regarding particular requirements. As such, it may
> be that some requirements need effective dates in the future. For
> requirements that have already been adopted, this doesn't set effective
> dates in the past; the effective date would be the adoption of this ballot.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200316/ecc699a6/attachment.html>


More information about the Servercert-wg mailing list