[Servercert-wg] Discussion Period Begins: SC-54: Onion cleanup

Aaron Gable aaron at letsencrypt.org
Mon Mar 7 17:50:53 UTC 2022


On Sun, Mar 6, 2022 at 8:26 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

> Thanks for the feedback Aaron,
>
> On 4/3/2022 12:27 π.μ., Aaron Gable wrote:
>
> Two very minor comments, provided here because there is not an
> accompanying PR on which github comments can be posted:
>
>
> Right, the pull request was posted in the validation SC list but if it
> helps, it is available at https://github.com/dzacharo/servercert/pull/4.
>
>
> > As part of the Certificate issuance process, the CA MUST retrieve and
> process CAA records in accordance with RFC 8659 for each `dNSName` in the
> `subjectAltName` extension that does not contain an Onion Domain Name. If
> the CA issues, they MUST do so within the TTL of the CAA record, or 8
> hours, whichever is greater.
>
> Is it more proper to say "each `dNSName`... that *does not contain* an
> Onion Domain Name" or "each `dNSName`... that *is not* an Onion Domain
> Name"?
>
>
> Aaron, are you proposing to make the text "does not contain" in bold
> letters? I also believe that the word "contain" seems ok in the original
> text.
>
> I tried to reverse the sentence a bit and it seems easier to read.
>
> *"As part of the Certificate issuance process, for each `dNSName` in the
> `subjectAltName` extension that does not contain an Onion Domain Name, the
> CA MUST retrieve and process CAA records in accordance with RFC 8659."*
>
> Are people ok with this or should I revert?
>

I think the original phrasing was good! I wasn't suggesting that it be
changed to "is not", I was genuinely unsure which would be clearer :D But
I've done some more research and it looks like the "contains" phrasing is
already used elsewhere so that sounds good to me.


>
>
> > 4. When a Certificate includes an Onion Domain Name, the Domain Name
> shall not be considered an Internal Name provided that the Certificate was
> issued in compliance with this [Appendix
> B](#appendix-b--issuance-of-certificates-for-onion-domain-names).
>
> The number of this item was updated from "3" to "4", but there is not
> actually a different third item being added. It should remain "3".
>
>
> I made the change. The markdown correctly rendered it as "3" despite the
> text being "4" :)
>
> New immutable link at
>
>    -
>    https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...1bac785b2fd6a3fe0957434f9d13b13a47d4d19b
>
> Please check the above and if there are no other changes, I will restart
> the discussion on Tuesday.
>
>
> Thanks,
> Dimitris.
>
>
> Aaron
>
> On Wed, Mar 2, 2022 at 10:22 PM Dimitris Zacharopoulos (HARICA) via
> Servercert-wg <servercert-wg at cabforum.org> wrote:
>
>>
>> PURPOSE OF BALLOT Over the years the Server Certificate WG captured
>> several minor cleanup issues related to Onion Certificates.
>>
>> Here is a summary of the changes:
>>
>>    - Created a Defined Term for Onion Domain Name. We discovered a lot
>>    of repeated long text describing what an onion certificate is, and thought
>>    it would be best adding as a definition
>>    - Removed EVG Appendix F contents since v2 onion certificates can't
>>    be used anymore; it is kept as a placeholder
>>    - Removed the obligation for the CA to ensure that the
>>    applicantSigningNonce includes specific entropy.
>>    - Tweaked 3.2.2.8 a bit in the hopes of making the initial sentence
>>    shorter and easier to read.
>>
>> The following motion has been proposed by Dimitris Zacharopoulos of
>> HARICA and endorsed by Ben Wilson of Mozilla and Corey Bonnell of DigiCert.
>> MOTION BEGINS
>>
>> This ballot modifies the “Baseline Requirements for the Issuance and
>> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
>> based on Version 1.8.1:
>> MODIFY the Baseline Requirements as specified in the following redline:
>>
>>    -
>>    https://github.com/cabforum/servercert/compare/65e80e07855ecc1d2264c040ecc7d398f997d2c5...c2120c30e347899fb89131e10e8617b6cfe74bc4
>>
>> This ballot modifies the “Guidelines for the Issuance and Management of
>> Extended Validation Certificates” (“EV Guidelines”), based on Version
>> 1.7.8: MODIFY the EV Guidelines as defined in the following redline:
>>
>>    -
>>    https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...c2120c30e347899fb89131e10e8617b6cfe74bc4
>>
>> MOTION ENDS
>>
>> This ballot proposes a Final Maintenance Guideline. The procedure for
>> approval of this ballot is as follows:
>> Discussion (7+ days)
>>
>> Start Time: 2022-03-03 15:00:00 UTC
>> End Time: Not before 2022-03-10 15:00:00 UTC
>> Vote for approval (7 days)
>>
>> Start Time: TBD
>> End Time: TBD
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220307/58f2bf5f/attachment.html>


More information about the Servercert-wg mailing list