[Servercert-wg] Discussion Period Begins: SC-54: Onion cleanup

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Sun Mar 6 16:26:42 UTC 2022

Thanks for the feedback Aaron,

On 4/3/2022 12:27 π.μ., Aaron Gable wrote:
> Two very minor comments, provided here because there is not an 
> accompanying PR on which github comments can be posted:

Right, the pull request was posted in the validation SC list but if it 
helps, it is available at https://github.com/dzacharo/servercert/pull/4.

> > As part of the Certificate issuance process, the CA MUST retrieve 
> and process CAA records in accordance with RFC 8659 for each `dNSName` 
> in the `subjectAltName` extension that does not contain an Onion 
> Domain Name. If the CA issues, they MUST do so within the TTL of the 
> CAA record, or 8 hours, whichever is greater.
> Is it more proper to say "each `dNSName`... that *does not contain* an 
> Onion Domain Name" or "each `dNSName`... that *is not* an Onion Domain 
> Name"?

Aaron, are you proposing to make the text "does not contain" in bold 
letters? I also believe that the word "contain" seems ok in the original 

I tried to reverse the sentence a bit and it seems easier to read.

/"As part of the Certificate issuance process, for each `dNSName` in the 
`subjectAltName` extension that does not contain an Onion Domain Name, 
the CA MUST retrieve and process CAA records in accordance with RFC 8659."/

Are people ok with this or should I revert?

> > 4. When a Certificate includes an Onion Domain Name, the Domain Name 
> shall not be considered an Internal Name provided that the Certificate 
> was issued in compliance with this [Appendix 
> B](#appendix-b--issuance-of-certificates-for-onion-domain-names).
> The number of this item was updated from "3" to "4", but there is not 
> actually a different third item being added. It should remain "3".

I made the change. The markdown correctly rendered it as "3" despite the 
text being "4" :)

New immutable link at

  * https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...1bac785b2fd6a3fe0957434f9d13b13a47d4d19b

Please check the above and if there are no other changes, I will restart 
the discussion on Tuesday.


> Aaron
> On Wed, Mar 2, 2022 at 10:22 PM Dimitris Zacharopoulos (HARICA) via 
> Servercert-wg <servercert-wg at cabforum.org> wrote:
>     Over the years the Server Certificate WG captured several minor
>     cleanup issues related to Onion Certificates.
>     Here is a summary of the changes:
>       * Created a Defined Term for Onion Domain Name. We discovered a
>         lot of repeated long text describing what an onion certificate
>         is, and thought it would be best adding as a definition
>       * Removed EVG Appendix F contents since v2 onion certificates
>         can't be used anymore; it is kept as a placeholder
>       * Removed the obligation for the CA to ensure that the
>         applicantSigningNonce includes specific entropy.
>       * Tweaked a bit in the hopes of making the initial
>         sentence shorter and easier to read.
>     The following motion has been proposed by Dimitris Zacharopoulos
>     of HARICA and endorsed by Ben Wilson of Mozilla and Corey Bonnell
>     of DigiCert.
>     This ballot modifies the “Baseline Requirements for the Issuance
>     and Management of Publicly-Trusted Certificates” (“Baseline
>     Requirements”), based on Version 1.8.1:
>     MODIFY the Baseline Requirements as specified in the following
>     redline:
>      *
>         https://github.com/cabforum/servercert/compare/65e80e07855ecc1d2264c040ecc7d398f997d2c5...c2120c30e347899fb89131e10e8617b6cfe74bc4
>     This ballot modifies the “Guidelines for the Issuance and
>     Management of Extended Validation Certificates” (“EV Guidelines”),
>     based on Version 1.7.8: MODIFY the EV Guidelines as defined in the
>     following redline:
>      *
>         https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...c2120c30e347899fb89131e10e8617b6cfe74bc4
>         MOTION ENDS
>     This ballot proposes a Final Maintenance Guideline. The procedure
>     for approval of this ballot is as follows:
>           Discussion (7+ days)
>     Start Time: 2022-03-03 15:00:00 UTC
>     End Time: Not before 2022-03-10 15:00:00 UTC
>           Vote for approval (7 days)
>     Start Time: TBD
>     End Time: TBD
>     _______________________________________________
>     Servercert-wg mailing list
>     Servercert-wg at cabforum.org
>     https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220306/6b55aae8/attachment.html>

More information about the Servercert-wg mailing list