[Servercert-wg] Discussion Period Begins: SC-54: Onion cleanup

Corey Bonnell Corey.Bonnell at digicert.com
Fri Mar 4 13:25:26 UTC 2022 

Hi Aaron,

Thank you for your careful review. Comments inline.

 

> Is it more proper to say "each `dNSName`... that does not contain an Onion Domain Name" or "each `dNSName`... that is not an Onion Domain Name"?

 

To me at least, “contain” seems more appropriate as the domain name is a value contained/encoded in the dNSName GeneralName “field”. However, I don’t feel strongly on this and wouldn’t object to changing the wording if we deem that it would add clarity.

 

> The number of this item was updated from "3" to "4", but there is not actually a different third item being added. It should remain "3".

 

Thanks for spotting this. I think we should fix this in a new ballot version and restart the discussion period.

 

Thanks,

Corey

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Aaron Gable via Servercert-wg
Sent: Thursday, March 3, 2022 5:28 PM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Discussion Period Begins: SC-54: Onion cleanup

 

Two very minor comments, provided here because there is not an accompanying PR on which github comments can be posted:

 

> As part of the Certificate issuance process, the CA MUST retrieve and process CAA records in accordance with RFC 8659 for each `dNSName` in the `subjectAltName` extension that does not contain an Onion Domain Name. If the CA issues, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.

 

Is it more proper to say "each `dNSName`... that does not contain an Onion Domain Name" or "each `dNSName`... that is not an Onion Domain Name"?

 

> 4. When a Certificate includes an Onion Domain Name, the Domain Name shall not be considered an Internal Name provided that the Certificate was issued in compliance with this [Appendix B](#appendix-b--issuance-of-certificates-for-onion-domain-names).

 

The number of this item was updated from "3" to "4", but there is not actually a different third item being added. It should remain "3".

 

Aaron

 

On Wed, Mar 2, 2022 at 10:22 PM Dimitris Zacharopoulos (HARICA) via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

 


PURPOSE OF BALLOT


Over the years the Server Certificate WG captured several minor cleanup issues related to Onion Certificates.

Here is a summary of the changes:

*	Created a Defined Term for Onion Domain Name. We discovered a lot of repeated long text describing what an onion certificate is, and thought it would be best adding as a definition
*	Removed EVG Appendix F contents since v2 onion certificates can't be used anymore; it is kept as a placeholder
*	Removed the obligation for the CA to ensure that the applicantSigningNonce includes specific entropy.
*	Tweaked 3.2.2.8 a bit in the hopes of making the initial sentence shorter and easier to read.

The following motion has been proposed by Dimitris Zacharopoulos of HARICA and endorsed by Ben Wilson of Mozilla and Corey Bonnell of DigiCert.




MOTION BEGINS


This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 1.8.1:
MODIFY the Baseline Requirements as specified in the following redline:

*	https://github.com/cabforum/servercert/compare/65e80e07855ecc1d2264c040ecc7d398f997d2c5...c2120c30e347899fb89131e10e8617b6cfe74bc4

This ballot modifies the “Guidelines for the Issuance and Management of Extended Validation Certificates” (“EV Guidelines”), based on Version 1.7.8: MODIFY the EV Guidelines as defined in the following redline:

*	https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...c2120c30e347899fb89131e10e8617b6cfe74bc4


MOTION ENDS


This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows: 


Discussion (7+ days)


Start Time: 2022-03-03 15:00:00 UTC
End Time: Not before 2022-03-10 15:00:00 UTC 


Vote for approval (7 days)


Start Time: TBD
End Time: TBD 

_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220304/6e4b449c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220304/6e4b449c/attachment-0001.p7s>

More information about the Servercert-wg mailing list