[Servercert-wg] VOTING BEGINS: Ballot SC41v2: Reformat the BRs, EVGs, and NCSSRs

Ryan Sleevi sleevi at google.com
Wed Feb 17 22:27:57 UTC 2021


Hearing no objections or concerns during the discussion period for Ballot
SC41v2: Reformat the BRs, EVGs, and NCSSRs , the purpose of this mail is to
signal the start of the VOTING PERIOD.

Bylaws Note: Although this Ballot modifies how the documents internally
express the Guideline version number, it does not explicitly change the
value of the Guideline version number in a manner that would constitute an
"update" pursuant to CA/Browser Forum Bylaws 2.3, Section 2.4 (8). As such,
the Chair or Vice-Chair are permitted to make changes permitted by that
Section as necessary.

Purpose of Ballot:

This ballot attempts to align the Baseline Requirements (BRs), EV
Guidelines (EVGs), and the Network and Certificate System Security
Requirements (NCSSRs) to a common format, to allow for the automatic
generation of final documents without requiring third-party tooling being
installed locally.

It is a continuation of the work started in SC26 [1], and is within the
work started originally by Ballots 154 and 155 [2]. If this ballot
succeeds, the Server Certificate Working Group will use the
version-controlled documents in GitHub as the authoritative source of
requirements, avoiding issues that resulted from exchanging various
versions of Microsoft Office files via e-mail or the Wiki.

The following changes are made, and are explicitly called out, beyond
changes to font/styling

   - Baseline Requirements
      - Formatting issues in Sections 3.2.2.4.18, 3.2.2.4.19, 4.10.1,
      6.1.6, Appendix B are resolved (see [3] [4] [5])
      - Section 9.6.1 referenced a non-existent Section 11.2, which was a
      bug introduced in BRs v1.3.0. This is fixed to the correct section, which
      is 7.1.4.2.2. [6]
      - Section 3.2.2.4.7 referenced Section 3.3.1, rather than the
      intended Section 4.2.1 [7]
      - The BRs consistently incorrectly refer to Section 8.1 for audit
      schemes, when the correct reference in Section 8.4 [8]
   - Extended Validation Guidelines
      - The EVGs are aligned to common language when referencing other
      sections, removing variations like “this Section X”, “the Section X of
      these Guidelines”, “Section X herein”, etc. Ambiguity is avoided by
      ensuring these references will also be internal document links that are
      structurally enforced.
   - Network and Certificate System Security
      - The structure is aligned to the BRs and EVGs, by listing Scope and
      Applicability followed by Document History and Definitions.
      - Section 2, Items (g), (k), and (o) and Section 4, Item (c) and (f),
      have the sub-items renumbered to Arabic numerals (1, 2, 3, 4) instead of
      Roman numerals (i, ii, iii, iv), for consistency and to avoid ambiguity
      with I/(i)/i.

This ballot attaches derived versions of these documents in PDF and
Microsoft Office, as produced by these changes. However, these documents
are INFORMATIVE only, as per the Ballot text, and are provided to assist
Members in review. For the avoidance of doubt, the attached documents do
not constitute Ballot Versions, as defined within the CA/Browser Forum
Bylaws, Section 2.4(1).

If there are any inconsistencies, the balloted text redline shall decide
the definitive version. However, Members are encouraged to raise any such
presentation issues, to ensure they can be reasonably addressed as part of
this Ballot.

The following motion has been proposed by Ryan Sleevi of Google and
endorsed by Ben Wilson of Mozilla and Dimitris Zacharopoulos of HARICA.

Version 2 of this Ballot introduces language to address potential conflicts
with Ballot SC39v3, due to modifying the same section of the NCSSRs, as
well as addresses one small Markdown lint pointed out by Aaron Gable of
ISRG/Let's Encrypt with respect to fenced code blocks.

The comparison between v1 and v2 of this ballot is available at [9]

[1]
https://cabforum.org/2020/03/30/ballot-sc26v2-pandoc-friendly-markdown-formatting-changes/
[2]
https://cabforum.org/2015/11/18/ballots-154-and-155-convert-to-rfc-3647-framework-and-github/
[3] https://github.com/cabforum/servercert/issues/230
[4] https://github.com/cabforum/servercert/issues/231
[5] https://github.com/cabforum/servercert/issues/233
[6] https://github.com/cabforum/servercert/issues/237
[7] https://github.com/cabforum/servercert/issues/236
[8] https://github.com/cabforum/servercert/issues/216
[9]
https://github.com/cabforum/servercert/compare/a8a6605a1d37ec9120ee1cc30b725bafa4dd5651..8f0a3b5038ff2911c50741ded594d403ec868803

– MOTION BEGINS –

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
based on Version 1.7.3:

MODIFY the Baseline Requirements as defined in the following redline to
BR.md:

https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803

This ballot modifies the “Guidelines for the Issuance and Management of
Extended Validation Certificates” (“EV Guidelines”) as follows, based on
Version 1.7.4:

MODIFY the EV Guidelines as defined in the following redline to EVG.md:

https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803

This ballot modifies the “Network and Certificate System Security
Requirements” (“Network Security Controls”) as follows, based on Version 1.5

IF Ballot SC39v3 FAILS to be adopted by the Server Certificate Chartered
Working Group:

   - MODIFY the Network Security Controls as defined in the following
   redline to NSR.md:

   https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..a8a6605a1d37ec9120ee1cc30b725bafa4dd5651

IF Ballot SC39v3 SUCCEEDS and is adopted by the Server Certificate
Chartered Working Group

   - MODIFY the Network Security Controls as defined in the following
   redline to NSR.md:

   https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803

On the successful adoption of this Ballot, the Forum shall recognize the
CA/Browser Forum Server Certificate Chartered Working Group Git repository,
as the authoritative and canonical source for the Baseline Requirements, EV
Guidelines, and Network Security Controls. Alternative presentation formats
may be used and provided, such as PDF/A, Office Open XML, or HTML, but in
the event of any inconsistency in presentation, the documents as committed
to the official Git repository shall be authoritative.

At the time of this ballot, the Git repository may be browsed at
https://github.com/cabforum/servercert and cloned via
https://github.com/cabforum/servercert.git

– MOTION ENDS –

This ballot proposes three Final Maintenance Guidelines.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2021-02-08 16:00:00 UTC
End Time: 2021-02-17 22:30:00 UTC

Vote for approval (7 days)

Start Time: 2021-02-17 22:30:00 UTC
End Time: 2021-02-24 22:30:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210217/a2aa9d16/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EVG.pdf
Type: application/pdf
Size: 249222 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210217/a2aa9d16/attachment-0003.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BR.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 97850 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210217/a2aa9d16/attachment-0003.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BR.pdf
Type: application/pdf
Size: 293878 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210217/a2aa9d16/attachment-0004.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EVG.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 77536 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210217/a2aa9d16/attachment-0004.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NSR.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 25497 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210217/a2aa9d16/attachment-0005.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NSR.pdf
Type: application/pdf
Size: 48567 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210217/a2aa9d16/attachment-0005.pdf>


More information about the Servercert-wg mailing list