[Servercert-wg] VOTING BEGINS: Ballot SC41v2: Reformat the BRs, EVGs, and NCSSRs

Tim Callan tim.callan at sectigo.com
Tue Feb 23 13:45:00 UTC 2021


Sectigo votes YES on ballot SC41v2.

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan
Sleevi via Servercert-wg
Sent: Wednesday, February 17, 2021 5:29 PM
To: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING BEGINS: Ballot SC41v2: Reformat the BRs,
EVGs, and NCSSRs

 

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

 

Hearing no objections or concerns during the discussion period for Ballot
SC41v2: Reformat the BRs, EVGs, and NCSSRs , the purpose of this mail is to
signal the start of the VOTING PERIOD.

 

Bylaws Note: Although this Ballot modifies how the documents internally
express the Guideline version number, it does not explicitly change the
value of the Guideline version number in a manner that would constitute an
"update" pursuant to CA/Browser Forum Bylaws 2.3, Section 2.4 (8). As such,
the Chair or Vice-Chair are permitted to make changes permitted by that
Section as necessary.

 

Purpose of Ballot:

This ballot attempts to align the Baseline Requirements (BRs), EV Guidelines
(EVGs), and the Network and Certificate System Security Requirements
(NCSSRs) to a common format, to allow for the automatic generation of final
documents without requiring third-party tooling being installed locally.

It is a continuation of the work started in SC26 [1], and is within the work
started originally by Ballots 154 and 155 [2]. If this ballot succeeds, the
Server Certificate Working Group will use the version-controlled documents
in GitHub as the authoritative source of requirements, avoiding issues that
resulted from exchanging various versions of Microsoft Office files via
e-mail or the Wiki.

The following changes are made, and are explicitly called out, beyond
changes to font/styling

*  Baseline Requirements

o Formatting issues in Sections 3.2.2.4.18, 3.2.2.4.19, 4.10.1, 6.1.6,
Appendix B are resolved (see [3] [4] [5])

o Section 9.6.1 referenced a non-existent Section 11.2, which was a bug
introduced in BRs v1.3.0. This is fixed to the correct section, which is
7.1.4.2.2. [6]

o Section 3.2.2.4.7 referenced Section 3.3.1, rather than the intended
Section 4.2.1 [7]

o The BRs consistently incorrectly refer to Section 8.1 for audit schemes,
when the correct reference in Section 8.4 [8]

*  Extended Validation Guidelines

o The EVGs are aligned to common language when referencing other sections,
removing variations like "this Section X", "the Section X of these
Guidelines", "Section X herein", etc. Ambiguity is avoided by ensuring these
references will also be internal document links that are structurally
enforced.

*  Network and Certificate System Security

o The structure is aligned to the BRs and EVGs, by listing Scope and
Applicability followed by Document History and Definitions.

o Section 2, Items (g), (k), and (o) and Section 4, Item (c) and (f), have
the sub-items renumbered to Arabic numerals (1, 2, 3, 4) instead of Roman
numerals (i, ii, iii, iv), for consistency and to avoid ambiguity with
I/(i)/i.

This ballot attaches derived versions of these documents in PDF and
Microsoft Office, as produced by these changes. However, these documents are
INFORMATIVE only, as per the Ballot text, and are provided to assist Members
in review. For the avoidance of doubt, the attached documents do not
constitute Ballot Versions, as defined within the CA/Browser Forum Bylaws,
Section 2.4(1).

 

If there are any inconsistencies, the balloted text redline shall decide the
definitive version. However, Members are encouraged to raise any such
presentation issues, to ensure they can be reasonably addressed as part of
this Ballot.

 

The following motion has been proposed by Ryan Sleevi of Google and endorsed
by Ben Wilson of Mozilla and Dimitris Zacharopoulos of HARICA. 

 

Version 2 of this Ballot introduces language to address potential conflicts
with Ballot SC39v3, due to modifying the same section of the NCSSRs, as well
as addresses one small Markdown lint pointed out by Aaron Gable of
ISRG/Let's Encrypt with respect to fenced code blocks.

 

The comparison between v1 and v2 of this ballot is available at [9]

[1]
https://cabforum.org/2020/03/30/ballot-sc26v2-pandoc-friendly-markdown-forma
tting-changes/
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2F2020%2F03%2F30%2Fballot-sc26v2-pandoc-friendly-markdown-formatting-cha
nges%2F&data=04%7C01%7Ctim.callan%40sectigo.com%7C0ba9480b690d44b4d07908d8d3
9369aa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637491978780188143%7CUnk
nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
CI6Mn0%3D%7C3000&sdata=BtpAAMeppiEisaZcYKJLzmjCS7kMROL%2FUUlSYFKeSZE%3D&rese
rved=0> 
[2]
https://cabforum.org/2015/11/18/ballots-154-and-155-convert-to-rfc-3647-fram
ework-and-github/
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2F2015%2F11%2F18%2Fballots-154-and-155-convert-to-rfc-3647-framework-and
-github%2F&data=04%7C01%7Ctim.callan%40sectigo.com%7C0ba9480b690d44b4d07908d
8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637491978780188143%7C
Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC
JXVCI6Mn0%3D%7C3000&sdata=b8E1IIPRHi2lH%2BrQl5aj0GIEDYUOQrsv6gcAEpgQly8%3D&r
eserved=0> 
[3] https://github.com/cabforum/servercert/issues/230
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F230&data=04%7C01%7Ctim.callan%40sectigo
.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7
C0%7C0%7C637491978780188143%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0Y0Cv9QisHeU04B0T3R0
b2w0KEZZHzPPKVlFj%2FYgHpU%3D&reserved=0> 
[4] https://github.com/cabforum/servercert/issues/231
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F231&data=04%7C01%7Ctim.callan%40sectigo
.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7
C0%7C0%7C637491978780198100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7GITt6sWFJ%2FYejHKgs
yPLaxrenEVKjRw%2F%2FWjD8T%2FwhE%3D&reserved=0> 
[5] https://github.com/cabforum/servercert/issues/233
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F233&data=04%7C01%7Ctim.callan%40sectigo
.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7
C0%7C0%7C637491978780198100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fnO%2BbpOuTWVQmcVq%2
BHubfDitHoNBgmnUlsAawPE34h0%3D&reserved=0> 
[6] https://github.com/cabforum/servercert/issues/237
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F237&data=04%7C01%7Ctim.callan%40sectigo
.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7
C0%7C0%7C637491978780208054%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FgFUTG8XOGZggox7Jy
mdiTnQaLFMEiswlJxkvkXKZm4%3D&reserved=0> 
[7] https://github.com/cabforum/servercert/issues/236
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F236&data=04%7C01%7Ctim.callan%40sectigo
.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7
C0%7C0%7C637491978780208054%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1DHLlGWJOs%2B5YlHMZZ
Lp5xKHTh5tq%2B9sDMBpdMG%2Bk3c%3D&reserved=0> 
[8] https://github.com/cabforum/servercert/issues/216
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F216&data=04%7C01%7Ctim.callan%40sectigo
.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7
C0%7C0%7C637491978780208054%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lqWVuYxalMsBvslrTNCG
Qy%2BTAIdEHZ9CKSGYGjhdlyI%3D&reserved=0> 

[9]
https://github.com/cabforum/servercert/compare/a8a6605a1d37ec9120ee1cc30b725
bafa4dd5651..8f0a3b5038ff2911c50741ded594d403ec868803
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fcompare%2Fa8a6605a1d37ec9120ee1cc30b725bafa4dd56
51..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7Ctim.callan%40sec
tigo.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C637491978780218012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WVJ%2F06qcbMK9jS
Hrn8epa61MdC3jdvYLIlGFVtFJLHA%3D&reserved=0> 

- MOTION BEGINS -

This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" ("Baseline Requirements"),
based on Version 1.7.3:

MODIFY the Baseline Requirements as defined in the following redline to
BR.md:

https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c6
1896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803

This ballot modifies the "Guidelines for the Issuance and Management of
Extended Validation Certificates" ("EV Guidelines") as follows, based on
Version 1.7.4:

MODIFY the EV Guidelines as defined in the following redline to EVG.md:

https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c6
1896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803

This ballot modifies the "Network and Certificate System Security
Requirements" ("Network Security Controls") as follows, based on Version 1.5

IF Ballot SC39v3 FAILS to be adopted by the Server Certificate Chartered
Working Group:

*  MODIFY the Network Security Controls as defined in the following redline
to NSR.md:
https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c6
1896a3f4cd..a8a6605a1d37ec9120ee1cc30b725bafa4dd5651
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4c
d..a8a6605a1d37ec9120ee1cc30b725bafa4dd5651&data=04%7C01%7Ctim.callan%40sect
igo.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb
7%7C0%7C0%7C637491978780227981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6DMoQPW2%2FOS8tLX
LMWNiL9tOVHQHDOygQc7bp4OW7yY%3D&reserved=0> 

IF Ballot SC39v3 SUCCEEDS and is adopted by the Server Certificate Chartered
Working Group

*  MODIFY the Network Security Controls as defined in the following redline
to NSR.md:
https://github.com/cabforum/documents/compare/2b7720f7821764f0ea9d0d583ec5c6
1896a3f4cd..8f0a3b5038ff2911c50741ded594d403ec868803
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fdocuments%2Fcompare%2F2b7720f7821764f0ea9d0d583ec5c61896a3f4c
d..8f0a3b5038ff2911c50741ded594d403ec868803&data=04%7C01%7Ctim.callan%40sect
igo.com%7C0ba9480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb
7%7C0%7C0%7C637491978780227981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kPJsPAUfp5PLy9vrP
TspKDHzIgzq4cBK1wC74RPcvq8%3D&reserved=0> 

On the successful adoption of this Ballot, the Forum shall recognize the
CA/Browser Forum Server Certificate Chartered Working Group Git repository,
as the authoritative and canonical source for the Baseline Requirements, EV
Guidelines, and Network Security Controls. Alternative presentation formats
may be used and provided, such as PDF/A, Office Open XML, or HTML, but in
the event of any inconsistency in presentation, the documents as committed
to the official Git repository shall be authoritative.

At the time of this ballot, the Git repository may be browsed at
https://github.com/cabforum/servercert
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert&data=04%7C01%7Ctim.callan%40sectigo.com%7C0ba9480b
690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637491
978780227981%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YGvHRkHLdQ8SJuA4irQZ77BJr%2BjeRViTm
HzNc3rj1zU%3D&reserved=0>  and cloned via
https://github.com/cabforum/servercert.git
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert.git&data=04%7C01%7Ctim.callan%40sectigo.com%7C0ba9
480b690d44b4d07908d8d39369aa%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C63
7491978780237925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sqX1qSJozXUaR0L6kRz4TYUxJ%2FYMS
vmRx3arzmmZP5E%3D&reserved=0> 

- MOTION ENDS -

This ballot proposes three Final Maintenance Guidelines.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2021-02-08 16:00:00 UTC
End Time: 2021-02-17 22:30:00 UTC

Vote for approval (7 days)

Start Time: 2021-02-17 22:30:00 UTC
End Time: 2021-02-24 22:30:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210223/20036a13/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6792 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210223/20036a13/attachment-0001.p7s>


More information about the Servercert-wg mailing list