[Servercert-wg] Voting begins for Ballot SC45: Wildcard Domain Validation

Wojciech Trapczyński wtrapczynski at certum.pl
Wed Jun 2 10:10:45 UTC 2021


Certum votes YES on ballot SC45.

W dniu 27.05.2021 o 21:01, Ryan Sleevi via Servercert-wg pisze:
> This email begins the voting period for Ballot SC45: Wildcard Domain 
> Validation
> 
> Purpose of Ballot:
> 
> This Ballot addresses security issues with the use of methods 3.2.2.4.6, 
> 3.2.2.4.18, and 3.2.2.4.19 of the Baseline Requirements to authenticate 

> an entire domain namespace. These methods rely on an HTTP based 
> demonstration of control, which only demonstrates control over a 
> particular host and service, rather than the entire Domain Namespace.
> 
> Effective 2021-12-01, these methods MUST NOT be used to issue Wildcard 
> Certificates and MUST NOT be used as Authorization Domain Names for 
> subordinate FQDNs of the validated FQDN.
> 
> Although not directly modifying the same section, this Ballot does 
> interact with Ballot SC42: 398-day Re-use Period, and so two versions 
> are presented, based on whether or not SC42 finishes the IP review 
> period without issues. If SC42 is adopted, 3.2.2.4.6 does not need to 
> change, because no past validations can be reused to issue new 
> certificates after the effective date. However, if SC42 were to fail, 
> 3.2.2.4.6 is also modified to keep consistent with .18 and .19.
> 
> The following motion has been proposed by Ryan Sleevi of Google and 
> endorsed by Jos Purvis of Cisco and Dimitris Zacharopoulos of HARICA.
> 
> It can be viewed on GitHub as 
> https://github.com/cabforum/servercert/pull/269 
> <https://github.com/cabforum/servercert/pull/269>
> 
> -- MOTION BEGINS --
> 
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” (“Baseline 
Requirements”), 
> based on Version 1.7.4.
> 
> If SC42 finishes the IP Review period without issues and is adopted, 
> MODIFY the Baseline Requirements as specified in the following Redline:
> 
> https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..e244864fc86819ac43ef82a79c9c43b9366cf087 
> <https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..e244864fc86819ac43ef82a79c9c43b9366cf087>
> 
> If SC42 fails to finish the IP Review period without issues and is not 
> adopted, MODIFY the Baseline Requirements as specified in the following 

> Redline:
> 
> https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..2ab50e3667c676d3591318474c3cbff99be8baf2 
> <https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..2ab50e3667c676d3591318474c3cbff99be8baf2>
> 
> -- MOTION ENDS --
> 
> This ballot proposes a Final Maintenance Guideline.
> 
> The procedure for approval of this ballot is as follows:
> 
> Discussion (7+ days)
> 
> Start Time: 2021-05-20 19:00:00 UTC
> End Time: 2021-05-27 19:00:00 UTC
> 
> Vote for approval (7 days)
> 
> Start Time: 2021-05-27 19:00:00 UTC
> End Time: 2021-06-03 19:00:00 UTC
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210602/b09f4a05/attachment.p7s>


More information about the Servercert-wg mailing list