[Servercert-wg] Discussion Period Begins - Ballot SC-071: Subscriber Agreement and Terms of Use Consolidation

Wayne Thayer wthayer at gmail.com
Tue Apr 16 15:11:39 UTC 2024


I have three questions about the implications of changes proposed by this
ballot:

1. Section 9.6.1 adds language that imposes or makes the following
requirements explicit:

> i. the Subscriber has been provided with the most current version of the
> Subscriber Agreement;
> ii. the applicable Subscriber Agreement is the Subscriber Agreement that
> was accepted when the Certificate was issued; and


I am aware that ACME RFC 8555 section 7.3.3 provides a mechanism for
updating the Subscriber Agreement ("Terms of Service" in the RFC). The
language above seems to imply that this mechanism must be used whenever a
CA changes their Subscriber Agreement. Has this mechanism been deployed and
used at scale?

SIde note here that "accepted when the Certificate was issued" could be
misconstrued to conflict with the statement in 9.6.3 that "a single
Subscriber Agreement MAY be used to cover multiple future certificate
requests and the resulting Certificates". I'd suggest changing "accepted"
to "in force".

2. Section 9.6.3 states that ".The CA SHALL implement a process to ensure
that ... if the CA and Subscriber are the same entity or are Affiliated,
that the Applicant has committed to comply with the Subscriber Agreement."
How would an auditor confirm this?

3. Finally, I'm wondering if some CAs could find themselves out of
compliance when these changes go into effect because they rely on Terms of
Use or need to update their Subscriber Agreement and/or CP/CPS? I don't
have a strong opinion here, but a defined effective date for these changes
might make sense.

Thanks,

Wayne

On Thu, Apr 11, 2024 at 5:49 PM Dustin Hollenback via Servercert-wg <
servercert-wg at cabforum.org> wrote:

>
>
> *Purpose of Ballot SC-071*
>
> This ballot proposes updates to the Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates related to Subscriber
> Agreements and Terms of Use. It combines the requirements for both into
> only the Subscriber Agreement and clarifies the requirement language. It
> removes the requirement and reference to "Terms of Use".
>
>
>
> Notes:
>
> •              This removes any ambiguity to ensure that there is no
> requirement that the Subscriber Agreement be legally enforceable when the
> CA and Subscriber are affiliated.
>
> •              This updates definitions for “Subscriber” and “Subscriber
> Agreement” and removes the definition for “Terms of Use” as these separate
> concepts are creating unnecessary work for CAs and Subscribers without
> adding any value when separated.
>
> •              While drafting this ballot, there were concerns raised
> related to “Applicant” and “Applicant Representative”. These definitions
> were intentionally not modified in this ballot as they will require more
> discussion after we implement the change to Subscriber Agreement and
> removal of Terms of Use.
>
> •              As observed with other ballots in the past, minor
> administrative updates must be made to the proposed ballot text before
> publication such that the appropriate Version # and Change History are
> accurately represented (e.g., to indicate these changes will be represented
> in Version 2.0.3).
>
> •              This ballot does not modify the “Guidelines for the
> Issuance and Management of Extended Validation Certificates”. More work
> will be made to that document after changes are finalized in this one.
>
>
>
> The following motion has been proposed by Dustin Hollenback of Microsoft,
> and endorsed by Tadahiko Ito of SECOM and Ben Wilson of Mozilla.
>
>
>
> *— Motion Begins —*
>
>
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
> based on Version 2.0.2.
>
>
>
> MODIFY the Baseline Requirements as specified in the following Redline:
>
>
>
> Here is a link to the GitHub redline:
>
>
> https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...1a33a904c9f7d8c9d42289f2f458358551db9f2f
> <https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...1a33a904c9f7d8c9d42289f2f458358551d>
>
>
>
> *— Motion Ends —*
>
>
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
>
>
> *Discussion (7+ days)*
>
> •                     Start time: 2024-04-12 01:00:00 UTC
>
> •                     End time: 2024-04-20 01:00:00 UTC
>
>
>
> *Vote for approval (7 days)*
>
> •                     Start time: XXXX-XX-XX 22:00:00 UTC
>
> •                     End time: XXXX-XX-XX 22:00:00 UTC
>
>
>
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240416/22f5ffb2/attachment.html>


More information about the Servercert-wg mailing list