[Servercert-wg] Voting begins for Ballot SC45: Wildcard Domain Validation

Ben Wilson bwilson at mozilla.com
Tue Jun 1 14:58:15 UTC 2021


Mozilla votes yes on Ballot SC45

On Tue, Jun 1, 2021 at 8:01 AM Jos Purvis (jopurvis) via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Cisco votes YES to SC45.
>
>
>
>
>
> --
> Jos Purvis (jopurvis at cisco.com)
> .:|:.:|:. cisco systems | Cryptographic Services
> PGP: 0xFD802FEE07D19105 | Controls and Trust Verification
>
>
>
>
>
> *From: *Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org>
> *Date: *Thursday, 27 May, 2021 at 15:02
> *To: *CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject: *[Servercert-wg] Voting begins for Ballot SC45: Wildcard Domain
> Validation
>
> This email begins the voting period for Ballot SC45: Wildcard Domain
> Validation
>
> Purpose of Ballot:
>
> This Ballot addresses security issues with the use of methods 3.2.2.4.6,
> 3.2.2.4.18, and 3.2.2.4.19 of the Baseline Requirements to authenticate an
> entire domain namespace. These methods rely on an HTTP based demonstration
> of control, which only demonstrates control over a particular host and
> service, rather than the entire Domain Namespace.
>
> Effective 2021-12-01, these methods MUST NOT be used to issue Wildcard
> Certificates and MUST NOT be used as Authorization Domain Names for
> subordinate FQDNs of the validated FQDN.
>
> Although not directly modifying the same section, this Ballot does
> interact with Ballot SC42: 398-day Re-use Period, and so two versions are
> presented, based on whether or not SC42 finishes the IP review period
> without issues. If SC42 is adopted, 3.2.2.4.6 does not need to change,
> because no past validations can be reused to issue new certificates after
> the effective date. However, if SC42 were to fail, 3.2.2.4.6 is also
> modified to keep consistent with .18 and .19.
>
> The following motion has been proposed by Ryan Sleevi of Google and
> endorsed by Jos Purvis of Cisco and Dimitris Zacharopoulos of HARICA.
>
> It can be viewed on GitHub as
> https://github.com/cabforum/servercert/pull/269
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 1.7.4.
>
> If SC42 finishes the IP Review period without issues and is adopted,
> MODIFY the Baseline Requirements as specified in the following Redline:
>
>
> https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..e244864fc86819ac43ef82a79c9c43b9366cf087
>
> If SC42 fails to finish the IP Review period without issues and is not
> adopted, MODIFY the Baseline Requirements as specified in the following
> Redline:
>
>
> https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..2ab50e3667c676d3591318474c3cbff99be8baf2
>
> -- MOTION ENDS --
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2021-05-20 19:00:00 UTC
> End Time: 2021-05-27 19:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2021-05-27 19:00:00 UTC
> End Time: 2021-06-03 19:00:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210601/018c691b/attachment.html>


More information about the Servercert-wg mailing list