[Servercert-wg] Discussion Period Begins: SC-54: Onion cleanup

Aaron Gable aaron at letsencrypt.org
Thu Mar 3 22:27:13 UTC 2022

Two very minor comments, provided here because there is not an accompanying
PR on which github comments can be posted:

> As part of the Certificate issuance process, the CA MUST retrieve and
process CAA records in accordance with RFC 8659 for each `dNSName` in the
`subjectAltName` extension that does not contain an Onion Domain Name. If
the CA issues, they MUST do so within the TTL of the CAA record, or 8
hours, whichever is greater.

Is it more proper to say "each `dNSName`... that *does not contain* an
Onion Domain Name" or "each `dNSName`... that *is not* an Onion Domain

> 4. When a Certificate includes an Onion Domain Name, the Domain Name
shall not be considered an Internal Name provided that the Certificate was
issued in compliance with this [Appendix

The number of this item was updated from "3" to "4", but there is not
actually a different third item being added. It should remain "3".


On Wed, Mar 2, 2022 at 10:22 PM Dimitris Zacharopoulos (HARICA) via
Servercert-wg <servercert-wg at cabforum.org> wrote:

> PURPOSE OF BALLOT Over the years the Server Certificate WG captured
> several minor cleanup issues related to Onion Certificates.
> Here is a summary of the changes:
>    - Created a Defined Term for Onion Domain Name. We discovered a lot of
>    repeated long text describing what an onion certificate is, and thought it
>    would be best adding as a definition
>    - Removed EVG Appendix F contents since v2 onion certificates can't be
>    used anymore; it is kept as a placeholder
>    - Removed the obligation for the CA to ensure that the
>    applicantSigningNonce includes specific entropy.
>    - Tweaked a bit in the hopes of making the initial sentence
>    shorter and easier to read.
> The following motion has been proposed by Dimitris Zacharopoulos of HARICA
> and endorsed by Ben Wilson of Mozilla and Corey Bonnell of DigiCert.
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 1.8.1:
> MODIFY the Baseline Requirements as specified in the following redline:
>    -
>    https://github.com/cabforum/servercert/compare/65e80e07855ecc1d2264c040ecc7d398f997d2c5...c2120c30e347899fb89131e10e8617b6cfe74bc4
> This ballot modifies the “Guidelines for the Issuance and Management of
> Extended Validation Certificates” (“EV Guidelines”), based on Version
> 1.7.8: MODIFY the EV Guidelines as defined in the following redline:
>    -
>    https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...c2120c30e347899fb89131e10e8617b6cfe74bc4
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
> Discussion (7+ days)
> Start Time: 2022-03-03 15:00:00 UTC
> End Time: Not before 2022-03-10 15:00:00 UTC
> Vote for approval (7 days)
> Start Time: TBD
> End Time: TBD
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220303/ba80c063/attachment.html>

More information about the Servercert-wg mailing list