[Servercert-wg] [EXTERNAL] VOTING BEGINS: Ballot SC41v2: Reformat the BRs, EVGs, and NCSSRs
Ben Wilson
bwilson at mozilla.com
Thu Feb 18 17:10:35 UTC 2021
Mozilla votes "Yes" on Ballot SC41v2
On Thu, Feb 18, 2021 at 9:15 AM Mike Reilly (SECURITY) via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Microsoft votes “Yes” on ballot SC41v2. Thanks, Mike
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Ryan
> Sleevi via Servercert-wg
> *Sent:* Wednesday, February 17, 2021 2:29 PM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL] [Servercert-wg] VOTING BEGINS: Ballot SC41v2:
> Reformat the BRs, EVGs, and NCSSRs
>
>
>
> Hearing no objections or concerns during the discussion period for Ballot
> SC41v2: Reformat the BRs, EVGs, and NCSSRs , the purpose of this mail is
> to signal the start of the VOTING PERIOD.
>
>
>
> Bylaws Note: Although this Ballot modifies how the documents internally
> express the Guideline version number, it does not explicitly change the
> value of the Guideline version number in a manner that would constitute an
> "update" pursuant to CA/Browser Forum Bylaws 2.3, Section 2.4 (8). As such,
> the Chair or Vice-Chair are permitted to make changes permitted by that
> Section as necessary.
>
>
>
> Purpose of Ballot:
>
> This ballot attempts to align the Baseline Requirements (BRs), EV
> Guidelines (EVGs), and the Network and Certificate System Security
> Requirements (NCSSRs) to a common format, to allow for the automatic
> generation of final documents without requiring third-party tooling being
> installed locally.
>
> It is a continuation of the work started in SC26 [1], and is within the
> work started originally by Ballots 154 and 155 [2]. If this ballot
> succeeds, the Server Certificate Working Group will use the
> version-controlled documents in GitHub as the authoritative source of
> requirements, avoiding issues that resulted from exchanging various
> versions of Microsoft Office files via e-mail or the Wiki.
>
> The following changes are made, and are explicitly called out, beyond
> changes to font/styling
>
> · Baseline Requirements
>
> o Formatting issues in Sections 3.2.2.4.18, 3.2.2.4.19, 4.10.1, 6.1.6,
> Appendix B are resolved (see [3] [4] [5])
>
> o Section 9.6.1 referenced a non-existent Section 11.2, which was a bug
> introduced in BRs v1.3.0. This is fixed to the correct section, which is
> 7.1.4.2.2. [6]
>
> o Section 3.2.2.4.7 referenced Section 3.3.1, rather than the intended
> Section 4.2.1 [7]
>
> o The BRs consistently incorrectly refer to Section 8.1 for audit
> schemes, when the correct reference in Section 8.4 [8]
>
> · Extended Validation Guidelines
>
> o The EVGs are aligned to common language when referencing other
> sections, removing variations like “this Section X”, “the Section X of
> these Guidelines”, “Section X herein”, etc. Ambiguity is avoided by
> ensuring these references will also be internal document links that are
> structurally enforced.
>
> · Network and Certificate System Security
>
> o The structure is aligned to the BRs and EVGs, by listing Scope and
> Applicability followed by Document History and Definitions.
>
> o Section 2, Items (g), (k), and (o) and Section 4, Item (c) and (f),
> have the sub-items renumbered to Arabic numerals (1, 2, 3, 4) instead of
> Roman numerals (i, ii, iii, iv), for consistency and to avoid ambiguity
> with I/(i)/i.
>
> This ballot attaches derived versions of these documents in PDF and
> Microsoft Office, as produced by these changes. However, these documents
> are INFORMATIVE only, as per the Ballot text, and are provided to assist
> Members in review. For the avoidance of doubt, the attached documents do
> not constitute Ballot Versions, as defined within the CA/Browser Forum
> Bylaws, Section 2.4(1).
>
>
>
> If there are any inconsistencies, the balloted text redline shall decide
> the definitive version. However, Members are encouraged to raise any such
> presentation issues, to ensure they can be reasonably addressed as part of
> this Ballot.
>
>
>
> The following motion has been proposed by Ryan Sleevi of Google and
> endorsed by Ben Wilson of Mozilla and Dimitris Zacharopoulos of HARICA.
>
>
>
> Version 2 of this Ballot introduces language to address potential
> conflicts with Ballot SC39v3, due to modifying the same section of the
> NCSSRs, as well as addresses one small Markdown lint pointed out by Aaron
> Gable of ISRG/Let's Encrypt with respect to fenced code blocks.
>
>
>
> The comparison between v1 and v2 of this ballot is available at [9]
>
> [1]
> https://cabforum.org/2020/03/30/ballot-sc26v2-pandoc-friendly-markdown-formatting-changes/
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2F2020%2F03%2F30%2Fballot-sc26v2-pandoc-friendly-markdown-formatting-changes%2F&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760927289%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lhxbpkKq9n7RqKNEtypPRrzJxoiB72NH1Jduvf2Cxuo%3D&reserved=0>
> [2]
> https://cabforum.org/2015/11/18/ballots-154-and-155-convert-to-rfc-3647-framework-and-github/
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.org%2F2015%2F11%2F18%2Fballots-154-and-155-convert-to-rfc-3647-framework-and-github%2F&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760927289%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xXje7B7U0GINoRkKqr%2Bf19KNPaGpc4fybXtHa%2B01S0k%3D&reserved=0>
> [3] https://github.com/cabforum/servercert/issues/230
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F230&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760937287%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BRYSVc94EUBwuGPj7hIslzrhL6NCMhHilIkLsg0pHRI%3D&reserved=0>
> [4] https://github.com/cabforum/servercert/issues/231
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F231&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760937287%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y%2BrBHzd4g55G4hctesWP5pauVyVd7LFc07Q7zuYXIq8%3D&reserved=0>
> [5] https://github.com/cabforum/servercert/issues/233
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F233&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760947284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QFQ5xW%2BUA0sfleKp8LKsN5KzeNpFmcYNsf7DIHmppH8%3D&reserved=0>
> [6] https://github.com/cabforum/servercert/issues/237
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F237&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760947284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ezo9QPIsjKfGqoT0HUkFoR49KjwddZVlxG1dkfZXM3w%3D&reserved=0>
> [7] https://github.com/cabforum/servercert/issues/236
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F236&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760957280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aEAq%2BoNfsfS5waM9b0Z020Rc5UImWcudfvMJ7F7nf%2Bo%3D&reserved=0>
> [8] https://github.com/cabforum/servercert/issues/216
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F216&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760957280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XU7Dlmlzt0W1nM5uWgOblxKwr0y6GY%2BJ9%2B7Yi9DKqjM%3D&reserved=0>
>
> [9]
> https://github.com/cabforum/servercert/compare/a8a6605a1d37ec9120ee1cc30b725bafa4dd5651..8f0a3b5038ff2911c50741ded594d403ec868803
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fa8a6605a1d37ec9120ee1cc30b725bafa4dd5651..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760967276%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fVMKooXyXO2PHUehWzLxt958kWPbiedKMfi%2FSyE0vDA%3D&reserved=0>
>
> – MOTION BEGINS –
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 1.7.3:
>
> MODIFY the Baseline Requirements as defined in the following redline to
> BR.md:
>
>
> https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760967276%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Xe1Sn4ao%2FLotOxpG1l6TSLpk4cGdZWn8%2BdKb9syYj7s%3D&reserved=0>
>
> This ballot modifies the “Guidelines for the Issuance and Management of
> Extended Validation Certificates” (“EV Guidelines”) as follows, based on
> Version 1.7.4:
>
> MODIFY the EV Guidelines as defined in the following redline to EVG.md:
>
>
> https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760977264%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nGb7xHxKLJaKkxDt46ONVCZ2QzKgaDqy1vH5ae%2FfcN8%3D&reserved=0>
>
> This ballot modifies the “Network and Certificate System Security
> Requirements” (“Network Security Controls”) as follows, based on Version 1.5
>
> IF Ballot SC39v3 FAILS to be adopted by the Server Certificate Chartered
> Working Group:
>
> · MODIFY the Network Security Controls as defined in the following
> redline to NSR.md:
>
> https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..a8a6605a1d37ec9120ee1cc30b725bafa4dd5651
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..a8a6605a1d37ec9120ee1cc30b725bafa4dd5651&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760977264%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=n39fNgt%2Fvsw4Xb7IVA1RTBj5tzwmcsFXEQasjfR3KxA%3D&reserved=0>
>
> IF Ballot SC39v3 SUCCEEDS and is adopted by the Server Certificate
> Chartered Working Group
>
> · MODIFY the Network Security Controls as defined in the following
> redline to NSR.md:
>
> https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760987260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fHXnfw4M0ZPa%2BqpBOs%2BJHjr7X92VDxgb4IICo78%2BeYU%3D&reserved=0>
>
> On the successful adoption of this Ballot, the Forum shall recognize the
> CA/Browser Forum Server Certificate Chartered Working Group Git repository,
> as the authoritative and canonical source for the Baseline Requirements, EV
> Guidelines, and Network Security Controls. Alternative presentation formats
> may be used and provided, such as PDF/A, Office Open XML, or HTML, but in
> the event of any inconsistency in presentation, the documents as committed
> to the official Git repository shall be authoritative.
>
> At the time of this ballot, the Git repository may be browsed at
> https://github.com/cabforum/servercert
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760987260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PopO5JEP2FbTFXeOhu6lSW6Ayrm%2BYZMjnDoAn%2FfhUxg%3D&reserved=0> and
> cloned via https://github.com/cabforum/servercert.git
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert.git&data=04%7C01%7CMike.reilly%40microsoft.com%7Cc199a59e296b4d585ae508d8d3936983%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637491977760997252%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Jf7%2BvDNIJeGCpek2kaQYoq2%2FjWnTTzdSGS0pdsfkmIU%3D&reserved=0>
>
> – MOTION ENDS –
>
> This ballot proposes three Final Maintenance Guidelines.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2021-02-08 16:00:00 UTC
> End Time: 2021-02-17 22:30:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2021-02-17 22:30:00 UTC
> End Time: 2021-02-24 22:30:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210218/8a06ddf2/attachment-0001.html>
More information about the Servercert-wg
mailing list