[Servercert-wg] Voting begins for Ballot SC45: Wildcard Domain Validation
Josselin Allemandou
j.allemandou at certigna.com
Wed Jun 2 10:26:51 UTC 2021
Certigna votes < YES > on ballot SC45.
Von: Servercert-wg <servercert-wg-bounces at cabforum.org
<mailto:servercert-wg-bounces at cabforum.org> > Im Auftrag von Ryan Sleevi via
Servercert-wg
Gesendet: Donnerstag, 27. Mai 2021 21:02
An: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Betreff: [Servercert-wg] Voting begins for Ballot SC45: Wildcard Domain
Validation
This email begins the voting period for Ballot SC45: Wildcard Domain
Validation
Purpose of Ballot:
This Ballot addresses security issues with the use of methods 3.2.2.4.6,
3.2.2.4.18, and 3.2.2.4.19 of the Baseline Requirements to authenticate an
entire domain namespace. These methods rely on an HTTP based demonstration
of control, which only demonstrates control over a particular host and
service, rather than the entire Domain Namespace.
Effective 2021-12-01, these methods MUST NOT be used to issue Wildcard
Certificates and MUST NOT be used as Authorization Domain Names for
subordinate FQDNs of the validated FQDN.
Although not directly modifying the same section, this Ballot does interact
with Ballot SC42: 398-day Re-use Period, and so two versions are presented,
based on whether or not SC42 finishes the IP review period without issues.
If SC42 is adopted, 3.2.2.4.6 does not need to change, because no past
validations can be reused to issue new certificates after the effective
date. However, if SC42 were to fail, 3.2.2.4.6 is also modified to keep
consistent with .18 and .19.
The following motion has been proposed by Ryan Sleevi of Google and endorsed
by Jos Purvis of Cisco and Dimitris Zacharopoulos of HARICA.
It can be viewed on GitHub as
https://github.com/cabforum/servercert/pull/269
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fpull%2F269&data=04%7C01%7Cmichael.guenther%40swi
sssign.com%7Cf3e5a5dafbab4138b2a508d92141e2c8%7C21322582607f404c82d950ddb1ec
a5c9%7C1%7C0%7C637577389131964752%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6BxTlrWvVnsnCi
piUWRh%2FhJcke89lfvqoa5zL1lukac%3D&reserved=0>
-- MOTION BEGINS --
This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" ("Baseline Requirements"),
based on Version 1.7.4.
If SC42 finishes the IP Review period without issues and is adopted, MODIFY
the Baseline Requirements as specified in the following Redline:
https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b2
6d88d704ca8..e244864fc86819ac43ef82a79c9c43b9366cf087
If SC42 fails to finish the IP Review period without issues and is not
adopted, MODIFY the Baseline Requirements as specified in the following
Redline:
https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b2
6d88d704ca8..2ab50e3667c676d3591318474c3cbff99be8baf2
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fcompare%2F47248d77d371356780b08cfa971b26d88d704c
a8..2ab50e3667c676d3591318474c3cbff99be8baf2&data=04%7C01%7Cmichael.guenther
%40swisssign.com%7Cf3e5a5dafbab4138b2a508d92141e2c8%7C21322582607f404c82d950
ddb1eca5c9%7C1%7C0%7C637577389131974707%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2BDHMkbq
gcNhIGFnfto2BFHomJGIx%2Bo4SN8WtkYjYL0%3D&reserved=0>
-- MOTION ENDS --
This ballot proposes a Final Maintenance Guideline.
The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 2021-05-20 19:00:00 UTC
End Time: 2021-05-27 19:00:00 UTC
Vote for approval (7 days)
Start Time: 2021-05-27 19:00:00 UTC
End Time: 2021-06-03 19:00:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210602/a4402763/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8318 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210602/a4402763/attachment-0001.p7s>
More information about the Servercert-wg
mailing list