[Servercert-wg] [EXTERNAL] VOTING BEGINS: Ballot SC41v2: Reformat the BRs, EVGs, and NCSSRs

Mike Reilly (SECURITY) Mike.Reilly at microsoft.com
Thu Feb 18 16:15:49 UTC 2021


Microsoft votes "Yes" on ballot SC41v2.  Thanks, Mike

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Servercert-wg
Sent: Wednesday, February 17, 2021 2:29 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] VOTING BEGINS: Ballot SC41v2: Reformat the BRs, EVGs, and NCSSRs

Hearing no objections or concerns during the discussion period for Ballot SC41v2: Reformat the BRs, EVGs, and NCSSRs , the purpose of this mail is to signal the start of the VOTING PERIOD.

Bylaws Note: Although this Ballot modifies how the documents internally express the Guideline version number, it does not explicitly change the value of the Guideline version number in a manner that would constitute an "update" pursuant to CA/Browser Forum Bylaws 2.3, Section 2.4 (8). As such, the Chair or Vice-Chair are permitted to make changes permitted by that Section as necessary.

Purpose of Ballot:

This ballot attempts to align the Baseline Requirements (BRs), EV Guidelines (EVGs), and the Network and Certificate System Security Requirements (NCSSRs) to a common format, to allow for the automatic generation of final documents without requiring third-party tooling being installed locally.

It is a continuation of the work started in SC26 [1], and is within the work started originally by Ballots 154 and 155 [2]. If this ballot succeeds, the Server Certificate Working Group will use the version-controlled documents in GitHub as the authoritative source of requirements, avoiding issues that resulted from exchanging various versions of Microsoft Office files via e-mail or the Wiki.

The following changes are made, and are explicitly called out, beyond changes to font/styling
*  Baseline Requirements
o Formatting issues in Sections 3.2.2.4.18, 3.2.2.4.19, 4.10.1, 6.1.6, Appendix B are resolved (see [3] [4] [5])
o Section 9.6.1 referenced a non-existent Section 11.2, which was a bug introduced in BRs v1.3.0. This is fixed to the correct section, which is 7.1.4.2.2. [6]
o Section 3.2.2.4.7 referenced Section 3.3.1, rather than the intended Section 4.2.1 [7]
o The BRs consistently incorrectly refer to Section 8.1 for audit schemes, when the correct reference in Section 8.4 [8]
*  Extended Validation Guidelines
o The EVGs are aligned to common language when referencing other sections, removing variations like "this Section X", "the Section X of these Guidelines", "Section X herein", etc. Ambiguity is avoided by ensuring these references will also be internal document links that are structurally enforced.
*  Network and Certificate System Security
o The structure is aligned to the BRs and EVGs, by listing Scope and Applicability followed by Document History and Definitions.
o Section 2, Items (g), (k), and (o) and Section 4, Item (c) and (f), have the sub-items renumbered to Arabic numerals (1, 2, 3, 4) instead of Roman numerals (i, ii, iii, iv), for consistency and to avoid ambiguity with I/(i)/i.
This ballot attaches derived versions of these documents in PDF and Microsoft Office, as produced by these changes. However, these documents are INFORMATIVE only, as per the Ballot text, and are provided to assist Members in review. For the avoidance of doubt, the attached documents do not constitute Ballot Versions, as defined within the CA/Browser Forum Bylaws, Section 2.4(1).

If there are any inconsistencies, the balloted text redline shall decide the definitive version. However, Members are encouraged to raise any such presentation issues, to ensure they can be reasonably addressed as part of this Ballot.

The following motion has been proposed by Ryan Sleevi of Google and endorsed by Ben Wilson of Mozilla and Dimitris Zacharopoulos of HARICA.

Version 2 of this Ballot introduces language to address potential conflicts with Ballot SC39v3, due to modifying the same section of the NCSSRs, as well as addresses one small Markdown lint pointed out by Aaron Gable of ISRG/Let's Encrypt with respect to fenced code blocks.

The comparison between v1 and v2 of this ballot is available at [9]

[1] https://cabforum.org/2020/03/30/ballot-sc26v2-pandoc-friendly-markdown-formatting-changes/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2F2020%2F03%2F30%2Fballot-sc26v2-pandoc-friendly-markdown-formatting-changes%2F&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760927289%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lhxbpkKq9n7RqKNEtypPRrzJxoiB72NH1Jduvf2Cxuo%3D&reserved=0>
[2] https://cabforum.org/2015/11/18/ballots-154-and-155-convert-to-rfc-3647-framework-and-github/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2F2015%2F11%2F18%2Fballots-154-and-155-convert-to-rfc-3647-framework-and-github%2F&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760927289%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xXje7B7U0GINoRkKqr%2Bf19KNPaGpc4fybXtHa%2B01S0k%3D&reserved=0>
[3] https://github.com/cabforum/servercert/issues/230<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F230&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760937287%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BRYSVc94EUBwuGPj7hIslzrhL6NCMhHilIkLsg0pHRI%3D&reserved=0>
[4] https://github.com/cabforum/servercert/issues/231<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F231&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760937287%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y%2BrBHzd4g55G4hctesWP5pauVyVd7LFc07Q7zuYXIq8%3D&reserved=0>
[5] https://github.com/cabforum/servercert/issues/233<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F233&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760947284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QFQ5xW%2BUA0sfleKp8LKsN5KzeNpFmcYNsf7DIHmppH8%3D&reserved=0>
[6] https://github.com/cabforum/servercert/issues/237<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F237&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760947284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ezo9QPIsjKfGqoT0HUkFoR49KjwddZVlxG1dkfZXM3w%3D&reserved=0>
[7] https://github.com/cabforum/servercert/issues/236<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F236&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760957280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aEAq%2BoNfsfS5waM9b0Z020Rc5UImWcudfvMJ7F7nf%2Bo%3D&reserved=0>
[8] https://github.com/cabforum/servercert/issues/216<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F216&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760957280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XU7Dlmlzt0W1nM5uWgOblxKwr0y6GY%2BJ9%2B7Yi9DKqjM%3D&reserved=0>
[9] https://github.com/cabforum/servercert/compare/a8a6605a1d37ec9120ee1cc30b725bafa4dd5651..8f0a3b5038ff2911c50741ded594d403ec868803<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fa8a6605a1d37ec9120ee1cc30b725bafa4dd5651..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760967276%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fVMKooXyXO2PHUehWzLxt958kWPbiedKMfi%2FSyE0vDA%3D&reserved=0>

- MOTION BEGINS -

This ballot modifies the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements"), based on Version 1.7.3:

MODIFY the Baseline Requirements as defined in the following redline to BR.md:

https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760967276%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Xe1Sn4ao%2FLotOxpG1l6TSLpk4cGdZWn8%2BdKb9syYj7s%3D&reserved=0>

This ballot modifies the "Guidelines for the Issuance and Management of Extended Validation Certificates" ("EV Guidelines") as follows, based on Version 1.7.4:

MODIFY the EV Guidelines as defined in the following redline to EVG.md:

https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760977264%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nGb7xHxKLJaKkxDt46ONVCZ2QzKgaDqy1vH5ae%2FfcN8%3D&reserved=0>

This ballot modifies the "Network and Certificate System Security Requirements" ("Network Security Controls") as follows, based on Version 1.5

IF Ballot SC39v3 FAILS to be adopted by the Server Certificate Chartered Working Group:
*  MODIFY the Network Security Controls as defined in the following redline to NSR.md:
https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..a8a6605a1d37ec9120ee1cc30b725bafa4dd5651<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..a8a6605a1d37ec9120ee1cc30b725bafa4dd5651&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760977264%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=n39fNgt%2Fvsw4Xb7IVA1RTBj5tzwmcsFXEQasjfR3KxA%3D&reserved=0>
IF Ballot SC39v3 SUCCEEDS and is adopted by the Server Certificate Chartered Working Group
*  MODIFY the Network Security Controls as defined in the following redline to NSR.md:
https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760987260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fHXnfw4M0ZPa%2BqpBOs%2BJHjr7X92VDxgb4IICo78%2BeYU%3D&reserved=0>
On the successful adoption of this Ballot, the Forum shall recognize the CA/Browser Forum Server Certificate Chartered Working Group Git repository, as the authoritative and canonical source for the Baseline Requirements, EV Guidelines, and Network Security Controls. Alternative presentation formats may be used and provided, such as PDF/A, Office Open XML, or HTML, but in the event of any inconsistency in presentation, the documents as committed to the official Git repository shall be authoritative.

At the time of this ballot, the Git repository may be browsed at https://github.com/cabforum/servercert<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760987260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PopO5JEP2FbTFXeOhu6lSW6Ayrm%2BYZMjnDoAn%2FfhUxg%3D&reserved=0> and cloned via https://github.com/cabforum/servercert.git<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert.git&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760997252%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Jf7%2BvDNIJeGCpek2kaQYoq2%2FjWnTTzdSGS0pdsfkmIU%3D&reserved=0>

- MOTION ENDS -

This ballot proposes three Final Maintenance Guidelines.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2021-02-08 16:00:00 UTC
End Time: 2021-02-17 22:30:00 UTC

Vote for approval (7 days)

Start Time: 2021-02-17 22:30:00 UTC
End Time: 2021-02-24 22:30:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210218/b74ac877/attachment-0001.html>


More information about the Servercert-wg mailing list