[Servercert-wg] Discussion Period Begins on Ballot SC47v2: Sunset subject:organizationalUnitName

Paul van Brouwershaven Paul.vanBrouwershaven at entrust.com
Mon Jun 21 13:09:11 UTC 2021


Besides the comments from Corey, I have not received any further comments.

If there are no further comments or concerns, I will initiate the voting period tomorrow.

Thanks,

Paul
________________________________
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Paul van Brouwershaven via Servercert-wg <servercert-wg at cabforum.org>
Sent: Wednesday, June 16, 2021 12:23
To: Corey Bonnell <Corey.Bonnell at digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL] Re: [Servercert-wg] Discussion Period Begins on Ballot SC47v2: Sunset subject:organizationalUnitName

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi Corey,

1> My initial proposal stated "__Deprecated__ discouraged until prohibited.". This was to align with the current use of deprecated in `subject:commonName` and to make it clear we are encouraging CAs to stop using the OU rather sooner than later. Stating optional instead of deprecated would not encouraging CAs to stop using the OU when possible.

Personally, I think it's clear enough, but if others agree, I'm ok to change this to optional or add the suffix back as in the original proposal.

2> Thanks for bringing this up, I was not aware that CAs where still doing this. I would like to prevent adding more sunset dates, does anyone see this immediate prohibition of OU in DV certificates as a problem?

Paul


________________________________
From: Corey Bonnell
Sent: Tuesday, June 15, 2021 19:36
To: Paul van Brouwershaven; CA/B Forum Server Certificate WG Public Discussion List
Subject: [EXTERNAL] RE: Discussion Period Begins on Ballot SC47v2: Sunset subject:organizationalUnitName

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________

Hi Paul,

Thanks for sending this proposal out. I have two comments on the proposed language:



  1.  Although the current proposed wording aligns with how Common Name is defined, stating “Deprecated” doesn’t indicate whether the OU is required or optional until the prohibition date. I think it is clearer to state “Optional, but Deprecated” or something to that effect.
  2.  There is at least one CA that is still actively issuing DV certificates with OU, and this inclusion of the OU field was permitted by at least one Root Program. The current wording of the proposal would implement an immediate prohibition on this practice once the ballot clears IPR. I don’t feel strongly about the timeline for this prohibition, but did want to call it out in case this is was unintended.



Thanks,

Corey



From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Paul van Brouwershaven via Servercert-wg
Sent: Monday, June 14, 2021 4:43 AM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>
Subject: Re: [Servercert-wg] Discussion Period Begins on Ballot SC47v2: Sunset subject:organizationalUnitName



Please note the link to the redline is showing the correct version but is linking to the previous version.

The correct link as shown: (commit 160f860dc1eccaa273bc8001dadaf07c4bba9dbd)



https://github.com/cabforum/servercert/compare/cf4e17a43977dcf7cb9c9e41efd2df4be4707e13...160f860dc1eccaa273bc8001dadaf07c4bba9dbd<https://urldefense.com/v3/__https://github.com/cabforum/servercert/compare/cf4e17a43977dcf7cb9c9e41efd2df4be4707e13...160f860dc1eccaa273bc8001dadaf07c4bba9dbd__;!!FJ-Y8qCqXTj2!Os4n5nDGi_3lS1toUwJT61VsRhEeyPEVBy-uC6KPG5zxsqMpDboOWV6QlqVfhKh_u6lbjxtfZQ$>



The pull request is also show tot actual changes.



________________________________

From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> on behalf of Paul van Brouwershaven via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Sent: Monday, June 14, 2021 09:51
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: [EXTERNAL] [Servercert-wg] Discussion Period Begins on Ballot SC47v2: Sunset subject:organizationalUnitName



WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

________________________________

This email begins the discussion period for Ballot SC47v2: Sunset subject:organizationalUnitName



This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.



Purpose of Ballot:



This Ballot sets a sunset date for the `subject:organizationalUnitName` as several earlier attempts to strengthen the validation failed to gain consensus.



The following motion has been proposed by Paul van Brouwershaven of Entrust and endorsed by Ben Wilson of Mozilla and Chema Lopez of Firmaprofesional.



It can be viewed on GitHub as https://github.com/cabforum/servercert/pull/282<https://urldefense.com/v3/__https:/github.com/cabforum/servercert/pull/282__;!!FJ-Y8qCqXTj2!In1_62JB1hlJhP3yHrH8xFv_eCLNnwhczsBSH4EDm_GfhdDT2YslHfzfkaOYowuG40l585ghaA$>



===== MOTION BEGINS =====



This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 1.7.6:



MODIFY the Baseline Requirements as specified in the following Redline:



https://github.com/cabforum/servercert/compare/cf4e17a43977dcf7cb9c9e41efd2df4be4707e13...160f860dc1eccaa273bc8001dadaf07c4bba9dbd<https://urldefense.com/v3/__https:/github.com/cabforum/servercert/compare/cf4e17a43977dcf7cb9c9e41efd2df4be4707e13...a70e85f256ee01fbfc6625f667305b4e3fb7fee9__;!!FJ-Y8qCqXTj2!In1_62JB1hlJhP3yHrH8xFv_eCLNnwhczsBSH4EDm_GfhdDT2YslHfzfkaOYowuG40neKQZkDA$>



This ballot modifies the “Guidelines for the Issuance and Management of Extended Validation Certificates” (“EV Guidelines”) as follows, based on Version 1.7.6:



MODIFY the EV Guidelines as defined in the following redline:



https://github.com/cabforum/servercert/compare/cf4e17a43977dcf7cb9c9e41efd2df4be4707e13...160f860dc1eccaa273bc8001dadaf07c4bba9dbd<https://urldefense.com/v3/__https:/github.com/cabforum/servercert/compare/cf4e17a43977dcf7cb9c9e41efd2df4be4707e13...a70e85f256ee01fbfc6625f667305b4e3fb7fee9__;!!FJ-Y8qCqXTj2!In1_62JB1hlJhP3yHrH8xFv_eCLNnwhczsBSH4EDm_GfhdDT2YslHfzfkaOYowuG40neKQZkDA$>



===== MOTION ENDS =====



This ballot proposes a Final Maintenance Guideline.



The procedure for approval of this ballot is as follows:



Discussion (7+ days)



Start Time: 2021-06-14 8:00:00 UTC

End Time: 2021-06-21 8:00:00 UTC



Vote for approval (7 days)



Start Time: TBD

End Time: TBD


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210621/b0b83c73/attachment-0001.html>


More information about the Servercert-wg mailing list