From clintw at apple.com  Thu Aug  1 23:27:49 2024
From: clintw at apple.com (Clint Wilson)
Date: Thu, 01 Aug 2024 16:27:49 -0700
Subject: [Servercert-wg] Seeking Endorsers and Feedback - SC-077: Update
 WebTrust Audit name in Section 8.4 and References
Message-ID: <07A3D7AC-B39D-4B26-A306-332D640A8548@apple.com>

Hello all,

I think it?s worth getting the WebTrust audit criteria titles and references updated in the TBRs before a CA runs up against a non-compliance that?s really avoidable :)
I threw together this Pull Request: https://github.com/cabforum/servercert/pull/514/files. I?ve also added the Ballot to the wiki (so hopefully I successfully picked an unreserved ballot number).

When I last brought this up, I believe Dimitris had volunteered to endorse; is that still the case? Is there anyone else willing/able to endorse this? (Apologies in advance if I?ve forgotten a second endorser in the interim!)

I would also appreciate any feedback or suggestions on the ballot changes themselves, of course!

Cheers,
-Clint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240801/aca25cf7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240801/aca25cf7/attachment.p7s>

From trevolip at amazon.com  Fri Aug  2 00:06:34 2024
From: trevolip at amazon.com (Ponds-White, Trev)
Date: Fri, 2 Aug 2024 00:06:34 +0000
Subject: [Servercert-wg] Seeking Endorsers and Feedback - SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001911045acdb-2778b346-bdbe-4e5e-affd-d12de043dcb8-000000@email.amazonses.com>
References: <010001911045acdb-2778b346-bdbe-4e5e-affd-d12de043dcb8-000000@email.amazonses.com>
Message-ID: <af76d852dabc4e919a85a11596232ff6@amazon.com>

We?ll be happy to!

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Thursday, August 1, 2024 4:28 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] Seeking Endorsers and Feedback - SC-077: Update WebTrust Audit name in Section 8.4 and References


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Hello all,

I think it?s worth getting the WebTrust audit criteria titles and references updated in the TBRs before a CA runs up against a non-compliance that?s really avoidable :)
I threw together this Pull Request: https://github.com/cabforum/servercert/pull/514/files. I?ve also added the Ballot to the wiki (so hopefully I successfully picked an unreserved ballot number).

When I last brought this up, I believe Dimitris had volunteered to endorse; is that still the case? Is there anyone else willing/able to endorse this? (Apologies in advance if I?ve forgotten a second endorser in the interim!)

I would also appreciate any feedback or suggestions on the ballot changes themselves, of course!

Cheers,
-Clint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240802/0b086297/attachment.html>

From Inigo.Barreira at sectigo.com  Fri Aug  2 11:54:17 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Fri, 2 Aug 2024 11:54:17 +0000
Subject: [Servercert-wg] Results of the Ballot SC-67 V3: "Require domain
 validation and CAA checks to be performed from multiple Network
 Perspectives"
Message-ID: <DM4PR17MB61601B315FE969735E739F9E81B32@DM4PR17MB6160.namprd17.prod.outlook.com>

Hi

 

The voting period for SC67 (Require domain validation and CAA checks to be
performed from multiple Network Perspectives) has completed, and the ballot
has passed.

 

Voting Results

Certificate Issuers

22 votes total, with no abstentions:

*	22 Issuers voting YES: Actalis, Buypass, Certum (Asseco), Chunghwa
Telecom, D-TRUST, DigiCert, Disig, eMudhra, Entrust, Fastly, GlobalSign,
HARICA, IdenTrust, Izenpe, JPRS, Let's Encrypt / ISRG, OISTE, SECOM,
Sectigo, SSL.com, Telia Company, TrustAsia
*	0 Issuers voting NO
*	0 Issuers ABSTAIN

Certificate Consumers

4 votes total, with no abstentions:

*	4 Consumers voting YES: Apple, Google, Mozilla, Opera
*	0 Consumers voting NO
*	0 Consumers ABSTAIN

Bylaws Requirements

1.	Bylaw 2.3(6) requires:

*	In order for a ballot to be adopted by the Forum, two?thirds (2/3)
or more of the votes cast by the Voting Members in the Certificate Issuer
category must be in favour of the ballot. This requirement was MET.
*	at least fifty percent (50%) plus one (1) of the votes cast by the
Voting Members in the Certificate Consumer category must be in favour of the
ballot. This requirement was MET.
*	At least one (1) Voting Member in each category must vote in favour
of a ballot for the ballot to be adopted. This requirement was MET.

2.	Bylaw 2.3(7) requires:

*	A ballot result will be considered valid only when more than half of
the number of currently active Voting Members has participated. The number
of currently active Voting Members is the average number of Voting Member
organizations that have participated in the previous three (3) Forum
Meetings and Forum Teleconferences.

*	the quorum was 14 for this ballot. This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to
review the ballot for relevant IP rights issues. This will be notified in a
separate email.

 

Regards

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240802/1aeb59c5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240802/1aeb59c5/attachment-0001.p7s>

From infra-bot at cabforum.org  Sun Aug  4 07:34:50 2024
From: infra-bot at cabforum.org (Infrastructure Bot)
Date: Sun, 4 Aug 2024 07:34:50 +0000
Subject: [Servercert-wg] Weekly github digest (Server Certificate Working
	Group)
Message-ID: <010001911c50003d-2e148f42-1134-4f94-910b-9833ab98b0e3-000000@email.amazonses.com>




Issues
------
* cabforum/servercert (+0/-1/?4)
  1 issues received 4 new comments:
  - #449 Clarify reusability of Validation of authority (3.2.5 vs. 4.2.1) (4 by aarongable, barrini, defacto64)
    https://github.com/cabforum/servercert/issues/449 

  1 issues closed:
  - IP validation via ACME https://github.com/cabforum/servercert/issues/446 [clean-up] 



Pull requests
-------------
* cabforum/servercert (+1/-0/?1)
  1 pull requests submitted:
  - Update BR to clarify that Validation of authority (3.2.5) can also be reused up to 825 days (by defacto64)
    https://github.com/cabforum/servercert/pull/536 

  1 pull requests received 1 new comments:
  - #470 Ballot SC-XX: Measure all hours and days to the second (1 by aarongable)
    https://github.com/cabforum/servercert/pull/470 [ballot] 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/cabforum/servercert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240804/7958eb04/attachment.html>

From Inigo.Barreira at sectigo.com  Mon Aug  5 08:07:46 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Mon, 5 Aug 2024 08:07:46 +0000
Subject: [Servercert-wg] 2024-07-18 Final servercert-wg Meeting Minutes
In-Reply-To: <DS0PR14MB62165884AF119A6F9A6F10C392AC2@DS0PR14MB6216.namprd14.prod.outlook.com>
References: <DS0PR14MB62165884AF119A6F9A6F10C392AC2@DS0PR14MB6216.namprd14.prod.outlook.com>
Message-ID: <DM4PR17MB6160076610D875C093B6F55281BE2@DM4PR17MB6160.namprd17.prod.outlook.com>

Here are the 2024-07-18 final minutes for the servercert-wg meeting.

 

# Attendees

 

Aaron Gable (Let's Encrypt), Aaron Poulsen (Amazon), Adrian Mueller
(SwissSign), Adriano Santoni (Actalis S.p.A.), Andrea Holland (VikingCloud),
Ben Wilson (Mozilla), Bruce Morton (Entrust), Chad Dandar (Cisco Systems),
Corey Bonnell (DigiCert), Corey Rasmussen (OATI), Dean Coclin (DigiCert),
Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin
Hollenback (Microsoft), Inaba Atsushi (GlobalSign), Jaime Hablutzel (OISTE
Foundation), Janet Hines (VikingCloud), Johnny Reading (GoDaddy), Karina
Sirota (Microsoft), Lynn Jeun (Visa), Marco Schambach (IdenTrust), Martijn
Katerbarg (Sectigo), Michelle Coon (OATI), Nargis Mannan (VikingCloud), Nate
Smith (GoDaddy), Nicol So (CommScope), Peter Miskovic (Disig), Rebecca Kelly
(SSL.com), Rollin Yu (TrustAsia), Sandy Balzer (SwissSign), Scott Rea
(eMudhra), Stephen Davidson (DigiCert), Tadahiko Ito (SECOM Trust Systems),
Thomas Zermeno (SSL.com), Tobias Josefowitz (Opera Software AS), Wayne
Thayer (Fastly), Wendy Brown (US Federal PKI Management Authority), Yamian
Quintero (Microsoft)

 

# Minutes

 

Dustin read the Note Well.

 

Interested Party applications for Mike Shaver and Amir Omidi were approved.

 

June 20th meeting minutes were approved.

 

## Ballot Status

 

1. SC-75 (pre-issuance linting): Passed

2. SC-67 (MPIC): In voting period

3. SC-xx (Profiles cleanup ballot): On hold

4. SC-71 (Terms of Use/Subscriber Agreement): On hold, will resume soon

 

## Issues to discuss

 

### Github issue  <https://github.com/mozilla/pkipolicy/issues/280>
https://github.com/mozilla/pkipolicy/issues/280

 

Ben provided the background on this issue. Ben said that the issue is
relevant

to both pre-certificates and final certificates. Within a certain period of
time,

the CA must globally distribute the corresponding for Relying Parties. Ben's
initial

suggestion is 15 minutes after issuance, but the discussion continues.

 

Aaron said that establishing this grace period is a good idea, as we have
done similar

for CRLs. Aaron said he does not feel strongly on the exact time period (15
minutes vs. 1 hour).

Aaron is unsure that we should explicitly reference "unused" and "reserved",
as "reserved"

serial numbers do not exist. This is something that should be cleaned up in
<https://github.com/cabforum/servercert/issues/422>
https://github.com/cabforum/servercert/issues/422. There was agreement by
Dimitris and Martijn that this language needs

to be improved.

 

Aaron said there is another related issue in that there is a BR requirement
for the CA to operate a revocation status service, but there are other
passages that outline similar requirements. It would be useful to make these
consistent.

 

Ben revisited the grace period topic on whether to use 15 minutes or 1 hour.
Aaron and Dimitris agreed that 15 minutes is sufficient. Ben raised the
concern that many bugs may be filed for minor infractions of an arbitrary
requirement. Aaron suggested that someone should write a ballot to overhaul
section 4.9.10 and suggest a time period. Then participants can discuss the
concrete proposal. Ben agreed to take this on.

 

### Github issue  <https://github.com/cabforum/servercert/issues/436>
https://github.com/cabforum/servercert/issues/436

 

Martijn said this issue is similar to the Extant CA sunset for the SMIME
BRs, where ICA

certificates that do not comply with the current profile are sunsetted. Ben
mentioned it

would be good to have a list of ICAs that do not comply with the current
profile to determine

potential impact. It was suggested to use a linter to determine this. Since
pkilint is up to date with SC-62 requirement, it was further suggested to
use pkilint for this analysis. Martijn took an action item to do this
analysis.

 

### Github issue  <https://github.com/cabforum/servercert/issues/437>
https://github.com/cabforum/servercert/issues/437

 

No discussion.

 

### Github issue  <https://github.com/cabforum/servercert/issues/438>
https://github.com/cabforum/servercert/issues/438

 

This issue in particular wasn't discussed, but Ben suggested that it would
be good to look at

only cleanup items so that we can produce a cleanup ballot after this
review. Corey agreed and said

that is a more efficient use of time.

 

### Github issue  <https://github.com/cabforum/servercert/issues/442>
https://github.com/cabforum/servercert/issues/442

 

Ben said this issue may be difficult to resolve, as it is difficult to
define exactly what "made aware" means. Wayne said that SC-73 partially
reserved the issue.

 

### Github issue  <https://github.com/cabforum/servercert/issues/443>
https://github.com/cabforum/servercert/issues/443

 

It was agreed that this issue can be closed.

 

### Github issue  <https://github.com/cabforum/servercert/issues/444>
https://github.com/cabforum/servercert/issues/444

 

Dimitris said that we should add a reference to the appropriate section
where name constraints are addressed.

 

## Other business

 

Dustin adjourned the meeting.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/1875b8ac/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/1875b8ac/attachment-0001.p7s>

From Inigo.Barreira at sectigo.com  Mon Aug  5 08:08:51 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Mon, 5 Aug 2024 08:08:51 +0000
Subject: [Servercert-wg] Final minutes for the SCWG Teleconference - June 20,
	2024
In-Reply-To: <010001903b62eeef-7d0d7075-8268-4ff3-8e71-788d399a2a46-000000@email.amazonses.com>
References: <0100018ff030af5e-3a819f8b-9d8c-47bf-9c0d-d6c036c57202-000000@email.amazonses.com>
 <010001903a815bc4-36538026-899f-47be-bc3c-4e299d201a34-000000@email.amazonses.com>
 <DS0PR11MB7851781AAF9F80D9B723E2B082C92@DS0PR11MB7851.namprd11.prod.outlook.com>
 <010001903b62eeef-7d0d7075-8268-4ff3-8e71-788d399a2a46-000000@email.amazonses.com>
Message-ID: <DM4PR17MB616042801438A2ED389305DB81BE2@DM4PR17MB6160.namprd17.prod.outlook.com>

These are the Final Minutes of the Teleconference described in the subject
of this message.

 

Meeting Date: 2024-06-20

 

Attendees:

Aaron Gable - (Let's Encrypt), Aaron Poulsen - (Amazon), Adrian Mueller -
(SwissSign), Adriano Santoni - (Actalis S.p.A.), Ben Wilson - (Mozilla),
Brianca Martin - (Amazon), Bruce Morton - (Entrust), Chad Dandar - (Cisco
Systems), Corey Rasmussen - (OATI), Dean Coclin - (DigiCert), Dimitris
Zacharopoulos - (HARICA), Doug Beattie - (GlobalSign), Enrico Entschew -
(D-TRUST), Inaba Atsushi - (GlobalSign), Jaime Hablutzel - (OISTE
Foundation), Janet Hines - (VikingCloud), Jos Purvis - (Fastly), Kiran
Tummala - (Microsoft), Llew Curran - (GoDaddy), Mads Henriksveen - (Buypass
AS), Marco Schambach - (IdenTrust), Martijn Katerbarg - (Sectigo), Michelle
Coon - (OATI), Miguel Sanchez - (Google), Naveen Kumar - (eMudhra), Nicol So
- (CommScope), Nome Huang - (TrustAsia), Paul van Brouwershaven - (Entrust),
Pedro Fuentes - (OISTE Foundation), Rebecca Kelly - (SSL.com), Sandy Balzer
- (SwissSign), Scott Rea - (eMudhra), Tathan Thacker - (IdenTrust), Thomas
Zermeno - (SSL.com), Tim Hollebeek - (DigiCert), Tobias Josefowitz - (Opera
Software AS), Tsung-Min Kuo - (Chunghwa Telecom), Wayne Thayer - (Fastly),
Wendy Brown - (US Federal PKI Management Authority)

1. Begin Recording and Roll Call:

- Inigo Barreira opened the meeting and started the roll call. 

 

2. Read Note-well:

- Inigo read the note-well.

 

3. Review Agenda:

- No additional topics were proposed. 

 

4. Minutes:

- Draft minutes from F2F #62 have been circulated for review.

- Minutes from SCWG call June 6th circulated on June 7th were approved

 

5. Membership:

- No new applications.

 

6. Issues/topics to discuss:

- GitHub?s open issues triage (10 issues per call min):

  - 417 ? Amend BRs to Clarify Auditing of "Parked" CA Keys ? Important to
update section 6.1.1.1 and section 8 to cover audit. Ben will continue to
work on this one, looking for support.

  - 420 ? The title of the TLS BR should include a reference to
TLS/serverAuth ? Completed/Closed

  - 422 ? Section 4.9.10: Untangle "assigned" vs "reserved" serials,
precertificates, and OCSP ? Not an urgent item. May need to update
definitions to address the issue. Assigned to Tim H to be moved to
Definitions and Glossary WG.

  - 423 - Remove specific version in the WebTrust reference in section 1.6.3
? Completed/Closed

  - 424 ? RA definitions: Almost anything is an RA ? Move to Definitions and
Glossary WG

  - 428 ? VG 9.2.8 is overly restrictive for the syntax of ISO 3166-2
states/provinces - S/MIME has fixed the issue which states ?For the NTR
Registration Scheme identifier, where registrations are administrated at the
subdivision (state or province) level, a plus "+" (0x2B (ASCII), U+002B
(UTF-8)) followed by an up-to-three alphanumeric character ISO 3166-2
identifier for the subdivision of the nation in which the Registration
Scheme is operated.? Ballot will be need for EVG.

  - 430 ? Clarify maximum period for DCV usage ? Completed/Closed

  - 431 ? Align OV and EV org name requirements ? Assign to Martijn

  - 432 ? Standardize format and style in CABF documents ? Work on
formatting style. Some information being assembled in the CABF Wiki. 

  - 433 ? Proposal for automated onion service certificate issuance based on
fully qualified onion service key signed certificate request - I?igo to
check if this person finally applied as interested party and if not, close
the issue. If yes, keep it for a while.

  -  435 ? Error in definition of "Translator" ? Assign to Tim who will
propose text for a clean-up ballot. 

 

- PAG update:

   - GoDaddy is withdrawing their exclusion notice. GoDaddy will be asked to
submit withdrawal of their exclusion notice; Ben will ask. The ballot can be
re-submitted. 

 

7. Ballot Status ? see list below:

- Passed

   - None

- Failed

   - None

- Voting Period

   - SC75: Pre-sign linting

- Discussion Period

   - SC67 v3: Require domain validation and CAA checks to be performed from
multiple Network Perspectives ? no updates, continue discussion. 

- Review Period

   - SC71: Terms of Use ? Not sure of status. Ballot may be abandoned. If
not, then the discussion period could be extended. Inigo will contact Dustin
to get status.

- Draft/Under Consideration

   - SCXX: Profiles cleanup ballot ? on hold.

 

8. Any Other Business:

- No other business.

 

9. Next call: 4 July call cancelled. Next call is 18 July 2024.

 

10. Adjourn

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/1337e808/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/1337e808/attachment-0001.p7s>

From Inigo.Barreira at sectigo.com  Mon Aug  5 08:14:33 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Mon, 5 Aug 2024 08:14:33 +0000
Subject: [Servercert-wg] Final minutes of the F2F Bergamo SCWG meeting
In-Reply-To: <01000190662023a8-c17302d2-c42e-41f5-beb6-8f8e68eaa890-000000@email.amazonses.com>
References: <DM4PR17MB6160ECA963EF9362090B54E581CD2@DM4PR17MB6160.namprd17.prod.outlook.com>
 <0100019026fecd1b-57507239-da3c-4679-83d5-ddf693273d1d-000000@email.amazonses.com>
 <01000190662023a8-c17302d2-c42e-41f5-beb6-8f8e68eaa890-000000@email.amazonses.com>
Message-ID: <DM4PR17MB61602053B3AA92330A352F0181BE2@DM4PR17MB6160.namprd17.prod.outlook.com>

 

 

 

These are the Final Minutes of the Teleconference described in the subject
of this message. You?ll find attached a docx format.

 

 

# Server Certificate Working Group
Discussion Leader: Inigo Barreira (Sectigo) 

Minutes: Tim Callan 

## Attendees

In the room:

Paul van Brouwershaven (Entrust), Bruce Morton (Entrust), Dave Chin (CPA
Canada), Ben Wilson (Mozilla), Wayne Thayer (Fastly), Martijn Katerbarg
(Sectigo), Dean Coclin (DigiCert), Corey Bonnell (DigiCert), Leo Grove
(SSL.com), Tim Hollebeek (DigiCert), Tsung-Min Kuo (Chungwa Telecom), Rob
Stradling (Sectigo), Nick France (Sectigo), Inigo Barreira (Sectigo), Sven
Rajala (Keyfactor), Wei-Hao Tung (Chungwa Telecom), Romain Delval
(Certigna), Josselin Alexmandou (Certigna), Arvid Vermote (Globalsign),
Andreas Henschel (D-Trust), Kateryna Aleksieiva (Asseco), Joanna Brawata
(Asseco), Eva Van Steenberge (Globalsign), Paul Brown (Globalsign),
Christophe Bonjean (Globalsign), Stephen Davidson (DigiCert), Stefan Kirch
(Telekom Security), Tadahiko Ito (SECOM), Michal Malinowski (Asseco), Adrian
Mueller (Swissign), Sandy Balzer (SwissSign), Raffaela Achermann
(SwissSign), An Yin (iTrusChina), Chorus Li (iTrusChina), Mars Rosberg
(Keyfactor), Kiran Tummala (Microsoft), Puja Sehgal (Microsoft), Mahua
Chaudhuri (Microsoft), John Sarapata (Google Trust Services), Miguel Sanchez
(Google Trust Services), Adriano Santoni (Actalis), Scott Rea (eMudhra),
Devon O?Brien (Google), Clemens Wanko (TUV Austria-ACABc), Matthias
Wiedenhorst (TUV IT-ACABc), Jeremy Rowley (DigiCert), Tobias Josefowitz
(Opera), Ashish Dhiman, Vinay (OATI), Aggie Wang, Tim Callan (Sectigo), Nate
Smith (GoDaddy), Arnold Essing (Telekom), Josef Nigut (DiSig), Thomas
Zermeno (SSL.com), Antti Backman (Telia), Atsushi Inaba (Globalsign), Ryan
Dickson (Google), Yoshiko Matsuo (JPRS), Mohit Kumar (Globalsign), Alvin
Wang (SHECA), Peter Miskovic (Disig), Marco Schambach (Identrust), Janet
Hines (Viking Cloud), Luis Cervantes (GoDaddy), Brianca Martin (Amazon),
Mrugesh Chandarana (IdenTrust), Li-Chun Chen (Chungwa Telecom), Nicol So
(CommScope), Ian McMillan (Microsoft), Andrea Holland (Viking Cloud),
Trevoli Ponds-White (Amazon), Pedro Fuentes (Wisekey), Nome Huang (Trust
Asia), Clint Wilson (Apple)



## Summary
    
Inigo read the anti-trust statement.

## Agenda

Agenda reviewed and approved.

## Minutes 

May 9 minutes were distributed May 13. 

Inigo asked for comments and received none.  Minutes approved.

## Membership applications

Two new applications for membership:
* One interested party Aryan in a personal capacity.  Inigo sees no issue
adding to this WG. There are no concerns and Aryan is added.
* Full membership application by Brainit.sk. This company is listed in the
UTL but it does not appear to be in the root stores. This company has not
provided test certificates.
  - Inigo does not believe they can be full members. 
  - Dean concurs.
  - Dean to reply and say they don't meet the current requirements.
    
## Summary

Summary of this quarter:
* We had many ballots this quarter. 6 ballots: 
  * SC73, SC72, SC65, SC69, SC70, SC68
* SC73 is under IPR review and will probably finish next week or the week
after.
* SC74 (CPS clarification) failed.

Under discussion: SC67 (MPIC), SC71 (subscriber agreement)

Under consideration: two ballots

New TLS BR versions:
* 2.0.3
* 2.0.4
* 2.0.5 should SC73 go into effect.

3 EVG versions.

New PAG SC to deal with GoDaddy IPR claim.

Number of open issues in GitHub were reduced but recent discussions have
made them grow

We have a new triage process.

Inigo asked for feedback.  Ben said he likes it.

Many email threads on the distro list.

Validation SC summary:
* Corey will provide better review tomorrow
* MPIC
* Automation
* DTPs
    
Achievements and goals:
* Slot update
* New charter
* Many ballots
* New EVGs format
* Change WG teleconferences content

Goals
* Goals are listed in the presentation

## Presentations/Topics

### PKI Metal
Making Linting Easier. Talk by Rob Stradling of Sectigo.
SC 75 is considering requiring linting and Chrome has stated it's a very
important priority.

Implementing linters is actually a hard engineering challenge.
An entire raft of issuance bugs could have been avoided if we used linters
available.

We would like to make no excuse for any CA to lack preissuance linting

Rob's experience:
* crt.sh 
  * Linting newly issued certs is too slow
  * Updating linters is awkward
  * Need to add support for pklint
    
* Sectigo's CA
  * Need to future-proof performance
  * Updating linters is a bit awkward
  * Ongoing code modernization

Ecosystem observations
* SC75 is codifying existing understanding of linters' value
* Using multiple linters is a best practice
* There are also special purpose linters that do one thing well (will
mention examples later)
Integrating linters into a CA system is awkward
* They are in different programming languages
* Implementing as preissuance linters can be difficult
* Many are written as command line functions.  In some cases it can take
half a second to issue just one certificate.
* Many of the CA action items in Bugzilla are integration of Linters, that
are often a far time away.

Many CAs are tackling and struggling with the same set of linter
integrations
* Pain points
* Integration
* Upgrading
* Performance

Introducing PKI Metal
* Provides access to multiple linters via a single API call
* Supports pre certs, certs, OCSP as input, and CRL
* Auto detects the intended profile
* Combines the results of all the linters into a single response
* Supports preissuance and post issuance linting
* Can run multiple instances of every linter
* You can disable any linter you don?t want to use
* A modular design to make integration of new linters easier in the future
* Dockerized

Supported linters
* certlint
* x.509lint
* zlint
* pkilint
* dwklint (weak keys according to SC73)
* FTFY

Will be opened soon in GitHub

Would like to encourage it to be a community project and not just a Sectigo
project.
Please reach out to rob at sectigo.com <mailto:rob at sectigo.com>  with
questions, feature requests, etc.

Questions:
* Each CA will operate its own instance if able to and otherwise can use the
public instance we are making available.
    * It can be used total on prem.
    
* Mads: Will the rate limits on crt.sh change?
  * Rob is planning on making it backwards compatible. 
* When he updates it, will it change anything? Rate limits make the lint
service unavailable.
  * Rob says the reasons for those rate limits will go away,  Should take a
higher rate.
* Nicol: Updating underlying linters is a problem because it triggers QA.
So how would that work with PKI Metal? Do we update PKI MEtal itself or the
underlying linters or what?
  * Rob: If you're using it dockerized, you'll just update PKI metal and it
will contain each of the linters.
* Ryan: This is incredible and this looks valauble to the community . I
can't wait to try this out. Thank you.
        
* Paul: I suppose you use GitHub actions. Have you thought about
incorporating a test corpus before new releases? When people in the
ecosystem start relying on PKI Metal, there is an expected quality. They may
adopt the new versions without testing it themselves.
  * Rob:  Agreed.  Quality will be important.
        
* Dimitris: As the discussion for SC75 is progressing, the expectation was
that each CA would have to add controls for linting. It will be their
responsibility.
This may be an opportunity for the linting ballot to add language about
updating.  Blindly applying new linters is not necessarily a good choice.
How do you plan on handling updates?
  * Rob: This body should think about that policy.
         
* Rob asks if any CAs have linting completely under control and have no
interest in this.  Nobody says yes.
    
*Dimitris: KeyFactor had a similar proposal.
  * Rob: It's possible to have multiple solutions for a problem.
        
### SwissSign - Organization Identifier
Adrian Mueller and Sandy Balzer

Setting some fields to optional if set

About EV naming fields: CABForganizationIdentifier
    
They suggest making the CABFOrganizationIdentifier optional
    
cabfOrganizationIdentifier is a SHALL for OV and Sponsored S/MIME. It's a
MUST in EV. Not required in ETSI
    
Suggesting of OrganizationIdentifier is included, JoI and SerialNumber can
be optional.
    
Benefits:
* Reduced complexity
* Clear requirements
* Less error prone

Tim Hollebeek:
* Making the CABF OrganizationIdentifier optional would be fine
* Every like the organization identifier.
* The other I have to think about.   Your argument makes sense.
* As the organization identifier is not mandatory,  you would make finding a
serial number in a certificate in an automated way more difficult.

Dimitris: TLS implementations have a challenge because some browsers will
display the information from the JOI. But it makes sense to remove the
redundancy. I would love if certificate consumers could use that
information.

Clint:
I don't want to get rid of the CABF OrganizationIdentifier

Tim H: The way this happened was PSD 2.  If that's your position, we're
stuck with both until the end of time.

### Client Authentication
Dimitris: On Bugzilla a CA issued a client cert from a TLS-capable issuing
CA. It had a client EKU but not a TLS EKU. I looked at the TLS BRs to figure
out if this is in scope or not.

Before SC62, issuing a client auth cert was allowed. After it was not.
I was looking for clarity if this was the intended effect.
Clint is of the opinion it is on purpose.

If there are no objections or counterarguments, it would be helpful to add
to the BRs.

Paul: I think it would have been a long term goal. We did highlight the
changes with the introduction of the ballot. If it was an intended change,
why did we not include it in the change list.

Clint: I think it is included in the change list to the extent that the TLS
BRs can include it. The scope of the BRs doesn't cover the leaf certificates
issued by the CA but does cover the CA itself. It wasn't made as explicitly
clear as Dimitris stated it.
    
Dimitris: As one of the endorsers of SC62, I would remember if it was
something so intentional. But if there is agreement that this is the way we
want to go, I'll either create an issue to put it in a clarificatino ballot
to clearly state that TLS issuing CAs should only issue TLS certificates.
    
### Legal name and DBAs
Martijn Katerbarg:
This comes out of an issue we had recently where we had LEGAL NAME dba TRADE
NAME. I have a proposal.

Current allowed practice:
* EV legal name or dba (legal name)
* OV is one or the other.

Propose expanding OV to at least allow the current example allowed for EV.
Also allow DBA inclusion with both names

Martijn proposed DBA, D/B/A and local equivalents.
Case-insensitive approach.
And do we want to add the fourth option to EV also?

Paul:
* Is DBA going to confuse people as an abbreviation?
* Couldn't we use Subject Alternative Name for that?
    
Scott Rea:
* I think there is a difference in what is displayed by the clients?
    
Paul:
* Are users actually going to understand this?
    
Martijn:
* Are users understanding the EV example either?
* That's why I included the local reference.
* Adding to Subject Alt Name is additional things for CAs to take care of,
and it seems like an additional complications.
    
Paul:
* We could think about another subject attribute.
    
### SCWG Document Publication Procedure
Inigo Barreira:

There have been significant changes in SCWG. Many ballots and versions of
BRs and EVGs. In New Delhi, we talked about a new way to publish versions of
the BRs and EVGs. At one point we were running 3 ballots at a time.
Changing from one to another was difficult.
    
Proposal:
* 2 types of ballots.  Regular ones and emergencies.
* New version publication:  
  * Approved ballots are merged into the guideline for publication at the
end of the quarter.
  * Will include all descriptions.
  * Adopted date will be date of publication
  * Effective dates TBD
  * Emergency ballots:
    * Same procedure as now.  Publish its own version.
  * Potential issues:
  * Different branches affecting the same section
  * Emergency ballot conflicts with a passed ballot awaiting publication
    
Tim H:
* Would be first on month, not 15th.

Dimitris:
* This similar to what we discussed in the past. I proposed twice a year.
* We need to change the by-laws.
* I believe it makes sense.
        
Clint:
* I'm reticent to embed effective dates into bylaws and charters.
* It's gone a lot better to have the general consensus to focus on specific
dates.
* If gives us flexibility we would lose if the introduce it into the bylaws.
* My concern is that if we do it wrong, effective dates can be lost six
months. We have lost that period where there is a requirement in a document
but it's a future effective date.
* I feel like in practice this could be used as an excuse errors.
* Maybe drafting language would help us with how we would address those.
  * We can work on language.
        
### GitHub open issues
* We looked at issue #272 Martijn: Is this just a cleanup ballot thing?
* #273. Formatting error.  Put in cleanup.
* #274. Clarify if 3.2.2.8 can be delegated.
* #278/279 Clarify behavior when an effective date predates its own
publication date.
* #303 Remove reference to code signing and focus language on TLS.
  * Inigo:  Do we have any such language?
* #306 Clarify OCSP profile
  * Clint:  I think this was fixed in SC62.
  * Ben: I think this issue is it was in the wrong section, and I'm not sure
we put it in the right section.
  * Clint: It's in 1.7.2.8.  So the profile piece at least was fixed.

### Ballots
We have ongoing ballots under discussion period:  MPIC and linting.

Ryan, can you give a summary of where we are?

Ryan: We received limited discussion in round 2.  We incorporated small
changes.  No discussion for round 3.  We intend to commence voting on
Monday.
    
Dimitris: If a CA wanted to try to test MPIC, are you aware of any
implementations that a CA could use today to test it.  I know there are open
APIs from Cloudflare and maybe others.

Ryan:  We have no feedback on any CAs who have tested. In the ballot
preamble we included a link to the Princeton team to accomplish the same
goal. We have had no feedback from Princeton or Cloudflare on adoption.

Prelinting ballot.

Dimitris:
* The discussion is going well. There is discussion of phasing it in.
September 2024 would be a SHOULD and March 2025 would be a SHALL.
* There is a question about if we will add updating language.
    
### Other business
Scott Rea:
* I asked a question on the list but I didn't get all my answers.
* This is around when we do voting.
* There is a requirement about quorum and measuring that.
* Some aspects weren't clarified.
* Section 6 of the charter defines quorum but doesn't say you need quorum
for a valid vote
* Does this need to be clarified.
* There is a thing about being in the previous 3 meetings.  Is this from the
start of the ballot or the end of the ballot or what?  This needs to be
clarifieid.
* We need to have at least 1 from each category.  Is that sufficient?  Do we
need more than that?
* At least at SCWG this should not be an issue.

Dimitris: Quorum is required in the bylaws for voting.  The charter is
trying to align with the bylaws.

Scott: I agree that's implied, but the charter is allowed to deviate.  So we
should make it explicit.

There was a question about if the bylaws say it or not.

Scott: The real issue is how to we measure when it starts.

Dimitris: This is answered in the bylaws also.  It's the last 3 meetings
after the voting period stops.

Scott: How about only requiring one and not more than one from each category
in SCWG.

Wayne: The real reason for that requirement is to CAs can't pass something
without at least one browser consenting.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/f1bf2e2b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: F2F minutes - SCWG.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 20395 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/f1bf2e2b/attachment-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/f1bf2e2b/attachment-0001.p7s>

From dzacharo at harica.gr  Mon Aug  5 08:14:55 2024
From: dzacharo at harica.gr (Dimitris Zacharopoulos (HARICA))
Date: Mon, 5 Aug 2024 11:14:55 +0300
Subject: [Servercert-wg] Seeking Endorsers and Feedback - SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001911045c5a1-12e2b903-3506-4c4d-90e7-9894f7291471-000000@email.amazonses.com>
References: <010001911045c5a1-12e2b903-3506-4c4d-90e7-9894f7291471-000000@email.amazonses.com>
Message-ID: <2286325e-ff27-4f12-b98b-6c729623f2dd@harica.gr>

Still endorsing.

Thanks,
Dimitris.

On 2/8/2024 2:28 ?.?., Clint Wilson via Servercert-wg wrote:
> Hello all,
>
> I think it?s worth getting the WebTrust audit criteria titles and 
> references updated in the TBRs before a CA runs up against a 
> non-compliance that?s really avoidable :)
> I threw together this Pull Request: 
> https://github.com/cabforum/servercert/pull/514/files. I?ve also added 
> the Ballot to the wiki (so hopefully I successfully picked an 
> unreserved ballot number).
>
> When I last brought this up, I believe Dimitris had volunteered to 
> endorse; is that still the case? Is there anyone else willing/able to 
> endorse this? (Apologies in advance if I?ve forgotten a second 
> endorser in the interim!)
>
> I would also appreciate any feedback or suggestions on the ballot 
> changes themselves, of course!
>
> Cheers,
> -Clint
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg


From Inigo.Barreira at sectigo.com  Mon Aug  5 14:39:52 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Mon, 5 Aug 2024 14:39:52 +0000
Subject: [Servercert-wg] Notice of Review Period: Ballot SC75:
	Pre-sign	linting
In-Reply-To: <010001905a34b1f0-00e991cd-8d02-4918-b8ba-1409c435ae84-000000@email.amazonses.com>
References: <010001905a34b1f0-00e991cd-8d02-4918-b8ba-1409c435ae84-000000@email.amazonses.com>
Message-ID: <DM4PR17MB6160B9CE674FF5989D070DFA81BE2@DM4PR17MB6160.namprd17.prod.outlook.com>

This is to notify the community that the IPR review period for ballot SC75
(Pre-sign linting) has completed. No IPR Exclusion Notices were filed, and
the ballot becomes effective.

 

The TLS BR version 2.0.6 has been published to the CABF
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2F&data=05%7C01%7Cinigo.barreira%40sectigo.com%7Ce2337c9c80774b6abc8808d
addf8f98a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638066359299014637%7C
Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLC
JXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MuPnYpz8oUZbQkYYIn2Ex7XS6szbLXsYi2sUf%2Fv
27lQ%3D&reserved=0> public website in accordance with the Bylaws.

 

Regards

 

 

De: Servercert-wg <servercert-wg-bounces at cabforum.org> En nombre de Inigo
Barreira via Servercert-wg
Enviado el: jueves, 27 de junio de 2024 16:59
Para: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org>
Asunto: [Servercert-wg] Notice of Review Period: Ballot SC75: Pre-sign
linting

 

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

 

NOTICE OF REVIEW PERIOD

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum?s
Intellectual Property Rights Policy (v1.3). This Review Period of 30 days is
for one Final Maintenance Guidelines. The complete Draft Maintenance
Guideline that is the subject of this Review Notice is attached to this
email, both in red-line and changes-accepted draft format, in Word and PDF
versions.

 

Summary of Review

Ballot for Review:
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2F2024%2F06%2F27%2Fballot-sc-75-pre-sign-linting%2F&data=05%7C02%7Cinigo
.barreira%40sectigo.com%7C3f36be78346145af246e08dc96b9a359%7C0e9c48946caa465
d96604b6968b49fb7%7C0%7C0%7C638550973431632788%7CUnknown%7CTWFpbGZsb3d8eyJWI
joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s
data=9ignR3HN70CbsiicFFExfdbVaxhR7pLN7p%2F0nVVd%2FUg%3D&reserved=0> Ballot
SC-75 - Pre-sign linting | CA/Browser Forum (cabforum.org)

 

Start of Review Period: 28/06/2024 at 9:00 AM UTC

End of Review Period: 28/07/2024 at 9:00 AM UTC

 

Members with any Essential Claim(s) to exclude must forward a written Notice
to Exclude Essential Claims to the Working Group Chair (email to I?igo
Barreira <inigo.barreira at sectigo.com <mailto:inigo.barreira at sectigo.com> >)
and also submit a copy to the CA/B Forum public mailing list (email to
public at cabforum.org< <mailto:public%20at%20cabforum.org> mailto:public at
cabforum.org>) before the end of the Review Period.

For details, please see the current version of the
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2Fwp-content%2Fuploads%2FCABF-IPR-Policy-v.1.3_4APR18.pdf&data=05%7C02%7
Cinigo.barreira%40sectigo.com%7C3f36be78346145af246e08dc96b9a359%7C0e9c48946
caa465d96604b6968b49fb7%7C0%7C0%7C638550973431647914%7CUnknown%7CTWFpbGZsb3d
8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
C%7C&sdata=oNXSrnPCMIGrX8NQ0VStk3lHHxwHToNj%2FhugQDkILUg%3D&reserved=0>
CA/Browser Forum Intellectual Property Rights Policy.

(An optional template for submitting an Exclusion Notice is available at
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2Fwp-content%2Fuploads%2FTemplate-for-Exclusion-Notice.pdf&data=05%7C02%
7Cinigo.barreira%40sectigo.com%7C3f36be78346145af246e08dc96b9a359%7C0e9c4894
6caa465d96604b6968b49fb7%7C0%7C0%7C638550973431658272%7CUnknown%7CTWFpbGZsb3
d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%
7C%7C&sdata=Y0F3xPigrn%2FnFGSIo7KsutG0Hl6MWZxMEfemjZdNLeU%3D&reserved=0>
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf)

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/7a92f308/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/7a92f308/attachment-0001.p7s>

From Inigo.Barreira at sectigo.com  Mon Aug  5 16:13:37 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Mon, 5 Aug 2024 16:13:37 +0000
Subject: [Servercert-wg] Notice of review period. Ballot SC67:
 Multi-Perspective Issuance Corroboration
Message-ID: <DM4PR17MB6160FC3B5F2402325210F6FB81BE2@DM4PR17MB6160.namprd17.prod.outlook.com>

NOTICE OF REVIEW PERIOD

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum?s
Intellectual Property Rights Policy (v1.3). This Review Period of 30 days is
for one Final Maintenance Guidelines. The complete Draft Maintenance
Guideline that is the subject of this Review Notice is attached to this
email, both in red-line and changes-accepted draft format, in Word and PDF
versions.

 

Summary of Review

Ballot for Review:   <https://github.com/cabforum/servercert/pull/517>
SC-067 V3: Require Multi-Perspective Issuance Corroboration (Version 3) by
ChristopherRC ? Pull Request #517 ? cabforum/servercert (github.com)

 

Start of Review Period: 05/08/2024 at 18:00 UTC

End of Review Period: 05/09/2024 at 18:00 UTC

 

Members with any Essential Claim(s) to exclude must forward a written Notice
to Exclude Essential Claims to the Working Group Chair (email to I?igo
Barreira <inigo.barreira at sectigo.com <mailto:inigo.barreira at sectigo.com> >)
and also submit a copy to the CA/B Forum public mailing list (email to
public at cabforum.org< <mailto:public%20at%20cabforum.org> mailto:public at
cabforum.org>) before the end of the Review Period.

For details, please see the current version of the
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2Fwp-content%2Fuploads%2FCABF-IPR-Policy-v.1.3_4APR18.pdf&data=05%7C02%7
Cinigo.barreira%40sectigo.com%7C3c3c002ee19e4b384fc308dcb55c8572%7C0e9c48946
caa465d96604b6968b49fb7%7C0%7C0%7C638584657257711332%7CUnknown%7CTWFpbGZsb3d
8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
C%7C&sdata=cH1%2BTFjfPuey1seBNmEVxyiY9DFnEWwjlU3Zf6Meq40%3D&reserved=0>
CA/Browser Forum Intellectual Property Rights Policy.

(An optional template for submitting an Exclusion Notice is available at
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcabforum.
org%2Fwp-content%2Fuploads%2FTemplate-for-Exclusion-Notice.pdf&data=05%7C02%
7Cinigo.barreira%40sectigo.com%7C3c3c002ee19e4b384fc308dcb55c8572%7C0e9c4894
6caa465d96604b6968b49fb7%7C0%7C0%7C638584657257724894%7CUnknown%7CTWFpbGZsb3
d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%
7C%7C&sdata=ZNm86xh5CtIWDTE2Fu4aLWjXftcSKzoo4It4y%2F6kQl0%3D&reserved=0>
https://cabforum.org/wp-content/uploads/Template-for-Exclusion-Notice.pdf)

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/b9d2f6ae/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TLSBR-SC67.zip
Type: application/x-zip-compressed
Size: 983250 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/b9d2f6ae/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240805/b9d2f6ae/attachment-0001.p7s>

From clintw at apple.com  Tue Aug  6 16:55:32 2024
From: clintw at apple.com (Clint Wilson)
Date: Tue, 06 Aug 2024 09:55:32 -0700
Subject: [Servercert-wg] Discussion Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
Message-ID: <C6F2C6D9-2A14-4980-B9A8-1B72835BA806@apple.com>

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files>. 

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

Start time: August 6, 2024 17:00 UTC
End time: on or after August 13, 2024 17:00 UTC
Vote for approval (7 days)

Start time: TBD
End time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240806/e0eb191a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240806/e0eb191a/attachment.p7s>

From aaron at letsencrypt.org  Fri Aug  9 18:54:05 2024
From: aaron at letsencrypt.org (Aaron Gable)
Date: Fri, 9 Aug 2024 11:54:05 -0700
Subject: [Servercert-wg] Seeking endorsers for Ballot SC-076 "Clarify and
	improve OCSP requirements"
Message-ID: <CAEmnErcT5kx8feRfi05arhsd_AFOtk=hA6m5dCPfhqf2f4cRWg@mail.gmail.com>

This ballot has grown out of discussions around whether OCSP responses must
be made available for Precertificates, and how quickly they must be made
available after initial issuance. Much of that conversation is captured in this
bugzilla incident <https://bugzilla.mozilla.org/show_bug.cgi?id=1905419> and
this Mozilla issue <https://github.com/mozilla/pkipolicy/issues/280>.

In addition, I've often felt like Sections 4.9.9 and 4.9.10 are poorly laid
out, with little rhyme or reason as to why any particular requirement lives
in one section or the other. RFC 3647 says that Section 4.9.10 is meant to
place requirements on relying parties, not on CAs, which explains much of
the confusion.

The result is a total rearrangement of Sections 4.9.9 and 4.9.10. This
ballot empties 4.9.10, moves all of its requirements into 4.9.9, and
arranges them into three sections:
- A few definitions (which apply only in this section);
- Requirements which apply to OCSP Responders whose URLs are found in the
AIA OCSP field of certificates; and
- Requirements which apply to all OCSP Responses, regardless of how it was
queried.

The PR representing this ballot is here:
https://github.com/cabforum/servercert/pull/535

Please let me know if you have any comments or suggested changes on the
GitHub PR, and please let me know if you'd be willing to endorse.

Thank you,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240809/b9a56b22/attachment.html>

From Bruce.Morton at entrust.com  Fri Aug  9 21:08:12 2024
From: Bruce.Morton at entrust.com (Bruce Morton)
Date: Fri, 9 Aug 2024 21:08:12 +0000
Subject: [Servercert-wg] [EXTERNAL] Seeking endorsers for Ballot SC-076
 "Clarify and	improve OCSP requirements"
In-Reply-To: <01000191387dee33-b25ce336-81a0-4b9f-818a-b13fc94e0fc9-000000@email.amazonses.com>
References: <01000191387dee33-b25ce336-81a0-4b9f-818a-b13fc94e0fc9-000000@email.amazonses.com>
Message-ID: <DS0PR11MB7851E4ECC1351E8691139E6B82BA2@DS0PR11MB7851.namprd11.prod.outlook.com>

Hi Aaron,

Thanks for the ballot proposal.

I have feedback from our team is it would be great to have 3 months or so to make sure that this requirement as addressed properly - ?Authoritative OCSP responses MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the certificate signing operation occurs.?

Could we add in an effective date for this requirement?


Thanks, Bruce.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Aaron Gable via Servercert-wg
Sent: Friday, August 9, 2024 2:54 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] Seeking endorsers for Ballot SC-076 "Clarify and improve OCSP requirements"

This ballot has grown out of discussions around whether OCSP responses must be made available for Precertificates, and how quickly they must be made available after initial issuance. Much of that conversation is captured in this bugzilla incident and

This ballot has grown out of discussions around whether OCSP responses must be made available for Precertificates, and how quickly they must be made available after initial issuance. Much of that conversation is captured in this bugzilla incident<https://urldefense.com/v3/__https:/bugzilla.mozilla.org/show_bug.cgi?id=1905419__;!!FJ-Y8qCqXTj2!dah43yGb4Pf_aNlBECZ6K6S41egFls1ClnimauCXjklwLFBvkfXVPhGQqR7jrEkx27xPuvMsdgZg2YPHI25eSbn38alHzQ$> and this Mozilla issue<https://urldefense.com/v3/__https:/github.com/mozilla/pkipolicy/issues/280__;!!FJ-Y8qCqXTj2!dah43yGb4Pf_aNlBECZ6K6S41egFls1ClnimauCXjklwLFBvkfXVPhGQqR7jrEkx27xPuvMsdgZg2YPHI25eSblHNIDx5Q$>.

In addition, I've often felt like Sections 4.9.9 and 4.9.10 are poorly laid out, with little rhyme or reason as to why any particular requirement lives in one section or the other. RFC 3647 says that Section 4.9.10 is meant to place requirements on relying parties, not on CAs, which explains much of the confusion.

The result is a total rearrangement of Sections 4.9.9 and 4.9.10. This ballot empties 4.9.10, moves all of its requirements into 4.9.9, and arranges them into three sections:
- A few definitions (which apply only in this section);
- Requirements which apply to OCSP Responders whose URLs are found in the AIA OCSP field of certificates; and
- Requirements which apply to all OCSP Responses, regardless of how it was queried.

The PR representing this ballot is here: https://github.com/cabforum/servercert/pull/535<https://urldefense.com/v3/__https:/github.com/cabforum/servercert/pull/535__;!!FJ-Y8qCqXTj2!dah43yGb4Pf_aNlBECZ6K6S41egFls1ClnimauCXjklwLFBvkfXVPhGQqR7jrEkx27xPuvMsdgZg2YPHI25eSbnd3aMMCg$>

Please let me know if you have any comments or suggested changes on the GitHub PR, and please let me know if you'd be willing to endorse.

Thank you,
Aaron
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240809/c38da458/attachment.html>

From bwilson at mozilla.com  Sat Aug 10 15:02:14 2024
From: bwilson at mozilla.com (Ben Wilson)
Date: Sat, 10 Aug 2024 09:02:14 -0600
Subject: [Servercert-wg] Seeking endorsers for Ballot SC-076 "Clarify
 and improve OCSP requirements"
In-Reply-To: <01000191387df2ac-3f283e0d-201d-4430-99de-817a4db34eb6-000000@email.amazonses.com>
References: <01000191387df2ac-3f283e0d-201d-4430-99de-817a4db34eb6-000000@email.amazonses.com>
Message-ID: <CA+1gtaZLDdmeCTZOFD7Lk=nXnkYRHfHevSY_MuiNQgh=gJAMew@mail.gmail.com>

Mozilla will endorse.

On Fri, Aug 9, 2024 at 12:54?PM Aaron Gable via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> This ballot has grown out of discussions around whether OCSP responses
> must be made available for Precertificates, and how quickly they must be
> made available after initial issuance. Much of that conversation is
> captured in this bugzilla incident
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1905419> and this Mozilla
> issue <https://github.com/mozilla/pkipolicy/issues/280>.
>
> In addition, I've often felt like Sections 4.9.9 and 4.9.10 are poorly
> laid out, with little rhyme or reason as to why any particular requirement
> lives in one section or the other. RFC 3647 says that Section 4.9.10 is
> meant to place requirements on relying parties, not on CAs, which explains
> much of the confusion.
>
> The result is a total rearrangement of Sections 4.9.9 and 4.9.10. This
> ballot empties 4.9.10, moves all of its requirements into 4.9.9, and
> arranges them into three sections:
> - A few definitions (which apply only in this section);
> - Requirements which apply to OCSP Responders whose URLs are found in the
> AIA OCSP field of certificates; and
> - Requirements which apply to all OCSP Responses, regardless of how it was
> queried.
>
> The PR representing this ballot is here:
> https://github.com/cabforum/servercert/pull/535
>
> Please let me know if you have any comments or suggested changes on the
> GitHub PR, and please let me know if you'd be willing to endorse.
>
> Thank you,
> Aaron
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240810/0eaa2e6d/attachment.html>

From infra-bot at cabforum.org  Sun Aug 11 07:34:57 2024
From: infra-bot at cabforum.org (Infrastructure Bot)
Date: Sun, 11 Aug 2024 07:34:57 +0000
Subject: [Servercert-wg] Weekly github digest (Server Certificate Working
	Group)
Message-ID: <01000191405ca027-abb7eed6-7e29-430e-b27c-961b7695b14a-000000@email.amazonses.com>






Pull requests
-------------
* cabforum/servercert (+1/-2/?0)
  1 pull requests submitted:
  - Update BR.md (#517) (by barrini)
    https://github.com/cabforum/servercert/pull/537 

  2 pull requests merged:
  - SC-067 V3: Require Multi-Perspective Issuance Corroboration (Version 3)
    https://github.com/cabforum/servercert/pull/517 [baseline-requirements] [ballot] 
  - Ballot SC-75 - Pre-sign linting
    https://github.com/cabforum/servercert/pull/527 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/cabforum/servercert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240811/b221d208/attachment.html>

From aaron at letsencrypt.org  Mon Aug 12 22:21:46 2024
From: aaron at letsencrypt.org (Aaron Gable)
Date: Mon, 12 Aug 2024 15:21:46 -0700
Subject: [Servercert-wg] Seeking endorsers for Ballot SC-076 "Clarify
	and improve OCSP requirements"
In-Reply-To: <CAEmnErcT5kx8feRfi05arhsd_AFOtk=hA6m5dCPfhqf2f4cRWg@mail.gmail.com>
References: <CAEmnErcT5kx8feRfi05arhsd_AFOtk=hA6m5dCPfhqf2f4cRWg@mail.gmail.com>
Message-ID: <CAEmnErd1EgFOapNVo6m+Vj3Fa1HVELFhiP7Ee9hA0FYzn3zTvg@mail.gmail.com>

Thank you to Ben Wilson for offering to endorse.

Thank you also to Bruce Morton, Wayne Thayer, and Antonios Eleftheriadis
for providing feedback on the proposed ballot text. I have made minor
updates per their comments, and am still seeking a second endorser.

Aaron

On Fri, Aug 9, 2024 at 11:54?AM Aaron Gable <aaron at letsencrypt.org> wrote:

> This ballot has grown out of discussions around whether OCSP responses
> must be made available for Precertificates, and how quickly they must be
> made available after initial issuance. Much of that conversation is
> captured in this bugzilla incident
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1905419> and this Mozilla
> issue <https://github.com/mozilla/pkipolicy/issues/280>.
>
> In addition, I've often felt like Sections 4.9.9 and 4.9.10 are poorly
> laid out, with little rhyme or reason as to why any particular requirement
> lives in one section or the other. RFC 3647 says that Section 4.9.10 is
> meant to place requirements on relying parties, not on CAs, which explains
> much of the confusion.
>
> The result is a total rearrangement of Sections 4.9.9 and 4.9.10. This
> ballot empties 4.9.10, moves all of its requirements into 4.9.9, and
> arranges them into three sections:
> - A few definitions (which apply only in this section);
> - Requirements which apply to OCSP Responders whose URLs are found in the
> AIA OCSP field of certificates; and
> - Requirements which apply to all OCSP Responses, regardless of how it was
> queried.
>
> The PR representing this ballot is here:
> https://github.com/cabforum/servercert/pull/535
>
> Please let me know if you have any comments or suggested changes on the
> GitHub PR, and please let me know if you'd be willing to endorse.
>
> Thank you,
> Aaron
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240812/605f253e/attachment.html>

From antoniose at harica.gr  Tue Aug 13 10:16:01 2024
From: antoniose at harica.gr (Antonis Eleftheriadis)
Date: Tue, 13 Aug 2024 13:16:01 +0300
Subject: [Servercert-wg] Seeking endorsers for Ballot SC-076 "Clarify
 and improve OCSP requirements"
In-Reply-To: <0100019148af4213-2d46ed88-450e-4999-a803-ad4d9015cc6b-000000@email.amazonses.com>
References: <CAEmnErcT5kx8feRfi05arhsd_AFOtk=hA6m5dCPfhqf2f4cRWg@mail.gmail.com>
 <0100019148af4213-2d46ed88-450e-4999-a803-ad4d9015cc6b-000000@email.amazonses.com>
Message-ID: <789ed9f4-a223-40c8-acbf-e5eef607ebaf@harica.gr>

HARICA will endorse

Regards,
Antonis

???? 13/8/24 01:22, ?/? Aaron Gable via Servercert-wg ??????:
> Thank you to Ben Wilson for offering to endorse.
>
> Thank you also to Bruce Morton, Wayne Thayer, and?Antonios 
> Eleftheriadis for providing feedback on the proposed ballot text. I 
> have made minor updates per their comments, and am still seeking a 
> second endorser.
>
> Aaron
>
> On Fri, Aug 9, 2024 at 11:54?AM Aaron Gable <aaron at letsencrypt.org> wrote:
>
>     This ballot has grown out of discussions around whether OCSP
>     responses must be made available for Precertificates, and how
>     quickly they must be made available after initial issuance. Much
>     of that conversation is captured in this bugzilla incident
>     <https://bugzilla.mozilla.org/show_bug.cgi?id=1905419>?and this
>     Mozilla issue <https://github.com/mozilla/pkipolicy/issues/280>.
>
>     In addition, I've often felt like Sections 4.9.9 and 4.9.10 are
>     poorly laid out, with little rhyme or reason as to why any
>     particular requirement lives in one section or the other. RFC 3647
>     says that Section 4.9.10 is meant to place requirements on relying
>     parties, not on CAs, which explains much of the confusion.
>
>     The result is a total rearrangement of Sections 4.9.9 and 4.9.10.
>     This ballot empties 4.9.10, moves all of its requirements into
>     4.9.9, and arranges them into three sections:
>     - A few definitions (which apply only in this section);
>     - Requirements which apply to OCSP Responders whose URLs are found
>     in the AIA OCSP field of certificates; and
>     - Requirements which apply to all OCSP Responses, regardless of
>     how it was queried.
>
>     The PR representing this ballot is here:
>     https://github.com/cabforum/servercert/pull/535
>
>     Please let me know if you have any comments or suggested changes
>     on the GitHub PR, and please let me know if you'd be willing to
>     endorse.
>
>     Thank you,
>     Aaron
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/48dd80f0/attachment.html>

From clintw at apple.com  Tue Aug 13 17:04:37 2024
From: clintw at apple.com (Clint Wilson)
Date: Tue, 13 Aug 2024 10:04:37 -0700
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
Message-ID: <E9BF4AEA-2ACE-4EDE-AE71-CCBC572FF2BF@apple.com>

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files>. 

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

Start time: August 6, 2024 17:00 UTC
End time: on or after August 13, 2024 17:00 UTC
Vote for approval (7 days)

Start time: August 13, 2024 17:00 UTC
End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/fb2e73bf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/fb2e73bf/attachment.p7s>

From trevolip at amazon.com  Tue Aug 13 17:33:14 2024
From: trevolip at amazon.com (Ponds-White, Trev)
Date: Tue, 13 Aug 2024 17:33:14 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb329e3-bb9e7c2a-a9b1-4c0a-b000-7b017f41e885-000000@email.amazonses.com>
References: <010001914cb329e3-bb9e7c2a-a9b1-4c0a-b000-7b017f41e885-000000@email.amazonses.com>
Message-ID: <c8b0fa24c19f43c3a7895a5f685ca8b7@amazon.com>

Amazon Trust Services votes yes.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 10:05 AM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/d7489cd7/attachment-0001.html>

From clintw at apple.com  Tue Aug 13 18:24:50 2024
From: clintw at apple.com (Clint Wilson)
Date: Tue, 13 Aug 2024 11:24:50 -0700
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb329e3-bb9e7c2a-a9b1-4c0a-b000-7b017f41e885-000000@email.amazonses.com>
References: <010001914cb329e3-bb9e7c2a-a9b1-4c0a-b000-7b017f41e885-000000@email.amazonses.com>
Message-ID: <13A5990D-F6BB-4706-82A3-4AE1BFB33607@apple.com>

Apple votes YES on Ballot SC-077

> On Aug 13, 2024, at 10:04?AM, Clint Wilson via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> Purpose of Ballot
> 
> CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.
> 
> This ballot modifies Section 8.4 to allow for a CA to be audited against either:
> 
> WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
> WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
> Motion
> 
> The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
> 
> You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files>. 
> 
> Motion Begins
> 
> MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:
> 
> https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
> Motion Ends
> 
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
> 
> Discussion (at least 7 days)
> 
> Start time: August 6, 2024 17:00 UTC
> End time: on or after August 13, 2024 17:00 UTC
> Vote for approval (7 days)
> 
> Start time: August 13, 2024 17:00 UTC
> End time: August 20, 2024 17:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/88445d9e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/88445d9e/attachment.p7s>

From Bruce.Morton at entrust.com  Tue Aug 13 18:34:01 2024
From: Bruce.Morton at entrust.com (Bruce Morton)
Date: Tue, 13 Aug 2024 18:34:01 +0000
Subject: [Servercert-wg] [EXTERNAL] VOTING Period Begins - Ballot
 SC-077: Update WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32b08-9d8ff735-a962-40fc-bfc5-cd3dea69565a-000000@email.amazonses.com>
References: <010001914cb32b08-9d8ff735-a962-40fc-bfc5-cd3dea69565a-000000@email.amazonses.com>
Message-ID: <DS0PR11MB785120F10C08E4FF5681B8F982862@DS0PR11MB7851.namprd11.prod.outlook.com>

Entrust votes Yes to ballot SC-007.


Bruce.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 1:05 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/2b459a87/attachment-0001.html>

From Bruce.Morton at entrust.com  Tue Aug 13 19:52:32 2024
From: Bruce.Morton at entrust.com (Bruce Morton)
Date: Tue, 13 Aug 2024 19:52:32 +0000
Subject: [Servercert-wg] [EXTERNAL] VOTING Period Begins - Ballot
 SC-077: Update WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914d04fccc-62ba79f5-beda-4a31-9348-c48e239c6f63-000000@email.amazonses.com>
References: <010001914cb32b08-9d8ff735-a962-40fc-bfc5-cd3dea69565a-000000@email.amazonses.com>
 <010001914d04fccc-62ba79f5-beda-4a31-9348-c48e239c6f63-000000@email.amazonses.com>
Message-ID: <DS0PR11MB7851AED2D0472DBE7C262FC282862@DS0PR11MB7851.namprd11.prod.outlook.com>

Entrust votes Yes to ballot SC-077.


Bruce.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Bruce Morton via Servercert-wg
Sent: Tuesday, August 13, 2024 2:34 PM
To: Clint Wilson <clintw at apple.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] [EXTERNAL] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Entrust votes Yes to ballot SC-007. Bruce. From: Servercert-wg <servercert-wg-bounces@?cabforum.?org> On Behalf Of Clint Wilson via Servercert-wg Sent: Tuesday, August 13, 2024 1:?05 PM To: ServerCert CA/BF <servercert-wg@?cabforum.?org>

Entrust votes Yes to ballot SC-007.


Bruce.

From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 1:05 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: [EXTERNAL] [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://urldefense.com/v3/__https:/github.com/cabforum/servercert/pull/514/files__;!!FJ-Y8qCqXTj2!bzoJTDo1gSGYPLMzsie3divH8jpW88qahujxgnfDCdpbEsqEcFm5VqY5KnUwzO41Y3NMpo1ZBDDH3UdC7393exObqVEtfQ$>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c<https://urldefense.com/v3/__https:/github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c__;!!FJ-Y8qCqXTj2!bzoJTDo1gSGYPLMzsie3divH8jpW88qahujxgnfDCdpbEsqEcFm5VqY5KnUwzO41Y3NMpo1ZBDDH3UdC7393exOOqG-egg$>

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240813/4a8ba007/attachment-0001.html>

From pfuentes at wisekey.com  Wed Aug 14 14:06:49 2024
From: pfuentes at wisekey.com (Pedro FUENTES)
Date: Wed, 14 Aug 2024 14:06:49 +0000
Subject: [Servercert-wg] [EXTERNAL]-Re: VOTING Period Begins - Ballot
 SC-077: Update WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cfca7ad-376da37b-5870-4315-af02-c8710b7ea752-000000@email.amazonses.com>
References: <010001914cb329e3-bb9e7c2a-a9b1-4c0a-b000-7b017f41e885-000000@email.amazonses.com>
 <010001914cfca7ad-376da37b-5870-4315-af02-c8710b7ea752-000000@email.amazonses.com>
Message-ID: <095EFD9D-0648-4497-90D4-4DA5AD02D8AD@wisekey.com>

OISTE votes Yes to SC-077

>> On Aug 13, 2024, at 10:04?AM, Clint Wilson via Servercert-wg <servercert-wg at cabforum.org> wrote:
>> 
>> Purpose of Ballot
>> 
>> CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.
>> 
>> This ballot modifies Section 8.4 to allow for a CA to be audited against either:
>> 
>> WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
>> WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
>> Motion
>> 
>> The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
>> 
>> You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files>. 
>> 
>> Motion Begins
>> 
>> MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:
>> 
>> https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
>> Motion Ends
>> 
>> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
>> 
>> Discussion (at least 7 days)
>> 
>> Start time: August 6, 2024 17:00 UTC
>> End time: on or after August 13, 2024 17:00 UTC
>> Vote for approval (7 days)
>> 
>> Start time: August 13, 2024 17:00 UTC
>> End time: August 20, 2024 17:00 UTC
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
> 
> <smime.p7s>_______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=OsWI2o-4QTixT5YxAQ3ZW3RjK70Pnx55ZEmUjkq9zwxZ7aLpXp8B3lnezoE0y_au&s=0oGiYBE81mCQhZC8cgdHhkQxo6XuohCZl7rDOLN-FBs&e=


WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: Avenue Louis-Casa? 58 | 1216 Cointrin | Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it?s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240814/6ed9f232/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3407 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240814/6ed9f232/attachment-0001.p7s>

From tom at ssl.com  Wed Aug 14 15:16:39 2024
From: tom at ssl.com (Tom Zermeno)
Date: Wed, 14 Aug 2024 15:16:39 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32d98-c1b3c4e1-8f92-4658-9f51-696aa19c8101-000000@email.amazonses.com>
References: <010001914cb32d98-c1b3c4e1-8f92-4658-9f51-696aa19c8101-000000@email.amazonses.com>
Message-ID: <CH3PR13MB6533940618DD802E43FE1421AF872@CH3PR13MB6533.namprd13.prod.outlook.com>

SSL.com votes ?Yes? on Ballot SC-077.

 

Regards,

 

Tom

SSL.com

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 12:05 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

 


Purpose of Ballot


CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security


Motion


The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files> . 


Motion Begins


MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

*	https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c


Motion Ends


This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:


Discussion (at least 7 days)


*	Start time: August 6, 2024 17:00 UTC
*	End time: on or after August 13, 2024 17:00 UTC


Vote for approval (7 days)


*	Start time: August 13, 2024 17:00 UTC
*	End time: August 20, 2024 17:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240814/7ee51d2a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5934 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240814/7ee51d2a/attachment-0001.p7s>

From bwilson at mozilla.com  Wed Aug 14 16:32:04 2024
From: bwilson at mozilla.com (Ben Wilson)
Date: Wed, 14 Aug 2024 17:32:04 +0100
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32f52-c858d978-3faa-464e-a85a-3ded835c4e90-000000@email.amazonses.com>
References: <010001914cb32f52-c858d978-3faa-464e-a85a-3ded835c4e90-000000@email.amazonses.com>
Message-ID: <CA+1gtaYOOLtz7Mj9BS9kCL61R8yHOGNfLqFH4682LgygTf4UEQ@mail.gmail.com>

Mozilla votes "Yes" on Ballot SC-077.

On Tue, Aug 13, 2024 at 6:04?PM Clint Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Purpose of Ballot
>
> CPA Canada has separated the audit criteria which map to the Network and
> Certificate System Security Requirements (NCSSRs) from the audit criteria
> which map to the TLS Baseline Requirements (TBRs). As a result, the
> requirements in Section 8.4 are out of date for audits which use the
> updated/separated audit criteria. However, we also need to ensure the
> combined audit criteria are able to be used until fully deprecated by CPA
> Canada and/or Root Programs stop accepting them.
>
> This ballot modifies Section 8.4 to allow for a CA to be audited against
> either:
>
>    - WebTrust Principles and Criteria for Certification Authorities ? SSL
>    Baseline with Network Security; or
>    - WebTrust Principles and Criteria for Certification Authorities ? SSL
>    Baseline AND WebTrust Principles and Criteria for Certification Authorities
>    ? Network Security
>
> Motion
>
> The following motion has been proposed by Clint Wilson (Apple) and
> endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
>
> You can view and comment on the Github pull request representing this
> ballot here <https://github.com/cabforum/servercert/pull/514/files>.
> Motion Begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements")
> based on Version 2.0.5 as specified in the following redline:
>
>    -
>    https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
>
> Motion Ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
> Discussion (at least 7 days)
>
>    - Start time: August 6, 2024 17:00 UTC
>    - End time: on or after August 13, 2024 17:00 UTC
>
> Vote for approval (7 days)
>
>    - Start time: August 13, 2024 17:00 UTC
>    - End time: August 20, 2024 17:00 UTC
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240814/2756c518/attachment.html>

From brittany at godaddy.com  Wed Aug 14 18:52:16 2024
From: brittany at godaddy.com (Brittany Randall)
Date: Wed, 14 Aug 2024 18:52:16 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
References: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
Message-ID: <SJ0PR02MB8813F985E8CFE6C704C1D0A2CE872@SJ0PR02MB8813.namprd02.prod.outlook.com>

GoDaddy votes "Yes" and SC-077.

Best,

Brittany
________________________________
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Clint Wilson via Servercert-wg <servercert-wg at cabforum.org>
Sent: Tuesday, August 13, 2024 10:04 AM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad at .



Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240814/218440aa/attachment.html>

From wthayer at gmail.com  Thu Aug 15 04:01:18 2024
From: wthayer at gmail.com (Wayne Thayer)
Date: Wed, 14 Aug 2024 21:01:18 -0700
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
References: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
Message-ID: <CAPh8bk8FOj1X1nsKPxpV6Pe49XVeum_4s619mP992WFSYiOTAA@mail.gmail.com>

Fastly votes Yes to ballot SC-077.

- Wayne

On Tue, Aug 13, 2024 at 10:23?AM Clint Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Purpose of Ballot
>
> CPA Canada has separated the audit criteria which map to the Network and
> Certificate System Security Requirements (NCSSRs) from the audit criteria
> which map to the TLS Baseline Requirements (TBRs). As a result, the
> requirements in Section 8.4 are out of date for audits which use the
> updated/separated audit criteria. However, we also need to ensure the
> combined audit criteria are able to be used until fully deprecated by CPA
> Canada and/or Root Programs stop accepting them.
>
> This ballot modifies Section 8.4 to allow for a CA to be audited against
> either:
>
>    - WebTrust Principles and Criteria for Certification Authorities ? SSL
>    Baseline with Network Security; or
>    - WebTrust Principles and Criteria for Certification Authorities ? SSL
>    Baseline AND WebTrust Principles and Criteria for Certification Authorities
>    ? Network Security
>
> Motion
>
> The following motion has been proposed by Clint Wilson (Apple) and
> endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
>
> You can view and comment on the Github pull request representing this
> ballot here <https://github.com/cabforum/servercert/pull/514/files>.
> Motion Begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements")
> based on Version 2.0.5 as specified in the following redline:
>
>    -
>    https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
>
> Motion Ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
> Discussion (at least 7 days)
>
>    - Start time: August 6, 2024 17:00 UTC
>    - End time: on or after August 13, 2024 17:00 UTC
>
> Vote for approval (7 days)
>
>    - Start time: August 13, 2024 17:00 UTC
>    - End time: August 20, 2024 17:00 UTC
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240814/bfd05d65/attachment-0001.html>

From doug.beattie at globalsign.com  Thu Aug 15 10:56:17 2024
From: doug.beattie at globalsign.com (Doug Beattie)
Date: Thu, 15 Aug 2024 10:56:17 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
References: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
Message-ID: <SEZPR03MB65939F04CD6BEF5597C2C772F0802@SEZPR03MB6593.apcprd03.prod.outlook.com>

GlobalSign votes Yes to ballot SC-077.

 

Doug

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 1:05 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

 


Purpose of Ballot


CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security


Motion


The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files> . 


Motion Begins


MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

*	https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c


Motion Ends


This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:


Discussion (at least 7 days)


*	Start time: August 6, 2024 17:00 UTC
*	End time: on or after August 13, 2024 17:00 UTC


Vote for approval (7 days)


*	Start time: August 13, 2024 17:00 UTC
*	End time: August 20, 2024 17:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/e1ac4182/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8445 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/e1ac4182/attachment-0001.p7s>

From martijn.katerbarg at sectigo.com  Thu Aug 15 11:00:47 2024
From: martijn.katerbarg at sectigo.com (Martijn Katerbarg)
Date: Thu, 15 Aug 2024 11:00:47 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32d98-c1b3c4e1-8f92-4658-9f51-696aa19c8101-000000@email.amazonses.com>
References: <010001914cb32d98-c1b3c4e1-8f92-4658-9f51-696aa19c8101-000000@email.amazonses.com>
Message-ID: <SA1PR17MB65038AC42239B3BE1B8289DAE3802@SA1PR17MB6503.namprd17.prod.outlook.com>

?Sectigo votes YES to ballot SC-077 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Clint Wilson via Servercert-wg <servercert-wg at cabforum.org>
Date: Tuesday, 13 August 2024 at 19:05
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 


Purpose of Ballot CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them. 
This ballot modifies Section 8.4 to allow for a CA to be audited against either: 

* WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or 
* WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security 
Motion The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon) 
You can view and comment on the Github pull request representing this ballot here <_blank>. 
Motion Begins MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline: 

* https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c <_blank> 
Motion Ends This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows: 
Discussion (at least 7 days) 
* Start time: August 6, 2024 17:00 UTC 
* End time: on or after August 13, 2024 17:00 UTC 
Vote for approval (7 days) 
* Start time: August 13, 2024 17:00 UTC 
* End time: August 20, 2024 17:00 UTC 





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/3d364f7d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/3d364f7d/attachment-0001.bin>

From realsky at cht.com.tw  Thu Aug 15 12:07:24 2024
From: realsky at cht.com.tw (=?big5?B?s6+l37hz?=)
Date: Thu, 15 Aug 2024 12:07:24 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <0100019155b2bce0-cd60edf4-3969-44d9-a34a-f685a89d3dd7-000000@email.amazonses.com>
References: <010001914cb32d98-c1b3c4e1-8f92-4658-9f51-696aa19c8101-000000@email.amazonses.com>
 <0100019155b2bce0-cd60edf4-3969-44d9-a34a-f685a89d3dd7-000000@email.amazonses.com>
Message-ID: <PSAPR02MB46327F9CEF7A27990917D3B09C802@PSAPR02MB4632.apcprd02.prod.outlook.com>

Chunghwa Telecom Votes Yes to ballot SC-077.


  Li-Chun 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Clint
Wilson via Servercert-wg <servercert-wg at cabforum.org>
Date: Tuesday, 13 August 2024 at 19:05
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
WebTrust Audit name in Section 8.4 and References

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

 


Purpose of Ballot


CPA Canada has separated the audit criteria which map to the Network and
Certificate System Security Requirements (NCSSRs) from the audit criteria
which map to the TLS Baseline Requirements (TBRs). As a result, the
requirements in Section 8.4 are out of date for audits which use the
updated/separated audit criteria. However, we also need to ensure the
combined audit criteria are able to be used until fully deprecated by CPA
Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against
either:

*	WebTrust Principles and Criteria for Certification Authorities ?
SSL Baseline with Network Security; or
*	WebTrust Principles and Criteria for Certification Authorities ?
SSL Baseline AND WebTrust Principles and Criteria for Certification
Authorities ? Network Security


Motion


The following motion has been proposed by Clint Wilson (Apple) and endorsed
by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot
here
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fpull%2F514%2Ffiles&data=05%7C02%7Crealsky%40cht.
com.tw%7C1f71ac1c062a46159fd508dcbd19b93b%7C54eb9440cf0345fe835e61bd4ce515c8
%7C0%7C0%7C638593165391141895%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xJbgYI68tsm9
%2FsPWnenbTCsbO9oYR5e6JtI8EMwO7X0%3D&reserved=0> . 


Motion Begins


MODIFY the "Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements")
based on Version 2.0.5 as specified in the following redline:

*	https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae3
53d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fcompare%2F20af1b271f2b689344ae353d3e78dc6b772199
db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c&data=05%7C02%7Crealsky%40cht.c
om.tw%7C1f71ac1c062a46159fd508dcbd19b93b%7C54eb9440cf0345fe835e61bd4ce515c8%
7C0%7C0%7C638593165391154940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=FsPzklFgHyV9M
jS%2BgcBgKuOAwezU60mOqX5oMzHk%2FyY%3D&reserved=0> 


Motion Ends


This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:


Discussion (at least 7 days)


*	Start time: August 6, 2024 17:00 UTC
*	End time: on or after August 13, 2024 17:00 UTC


Vote for approval (7 days)


*	Start time: August 13, 2024 17:00 UTC
*	End time: August 20, 2024 17:00 UTC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7748 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/a8301677/attachment.p7s>

From scott.rea at emudhra.com  Thu Aug 15 13:08:26 2024
From: scott.rea at emudhra.com (Scott Rea)
Date: Thu, 15 Aug 2024 13:08:26 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32b08-9d8ff735-a962-40fc-bfc5-cd3dea69565a-000000@email.amazonses.com>
References: <010001914cb32b08-9d8ff735-a962-40fc-bfc5-cd3dea69565a-000000@email.amazonses.com>
Message-ID: <KL1PR0401MB50179951F79D5AE40BE4419DF0802@KL1PR0401MB5017.apcprd04.prod.outlook.com>

eMudhra votes Yes on Ballot SC-077

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Clint Wilson via Servercert-wg <servercert-wg at cabforum.org>
Date: Tuesday, 13 August 2024 at 11:05?AM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References
CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC

Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/6d622bb9/attachment-0001.html>

From nicol.so at commscope.com  Thu Aug 15 16:06:45 2024
From: nicol.so at commscope.com (So, Nicol)
Date: Thu, 15 Aug 2024 16:06:45 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb329e3-bb9e7c2a-a9b1-4c0a-b000-7b017f41e885-000000@email.amazonses.com>
References: <010001914cb329e3-bb9e7c2a-a9b1-4c0a-b000-7b017f41e885-000000@email.amazonses.com>
Message-ID: <SJ0PR14MB66984172C3D60E78C04B27B886802@SJ0PR14MB6698.namprd14.prod.outlook.com>

CommScope votes ?yes? on ballot SC-077.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 1:05 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/16a4ee2b/attachment-0001.html>

From tim.hollebeek at digicert.com  Thu Aug 15 16:25:40 2024
From: tim.hollebeek at digicert.com (Tim Hollebeek)
Date: Thu, 15 Aug 2024 16:25:40 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32b08-9d8ff735-a962-40fc-bfc5-cd3dea69565a-000000@email.amazonses.com>
References: <010001914cb32b08-9d8ff735-a962-40fc-bfc5-cd3dea69565a-000000@email.amazonses.com>
Message-ID: <SN7PR14MB649249AE2FF209D3E4969E5683802@SN7PR14MB6492.namprd14.prod.outlook.com>

DigiCert votes YES on SC-077.

 

-Tim

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 1:05 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

 


Purpose of Ballot


CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security


Motion


The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here <https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/pull/514/files___.YXAzOmRpZ2ljZXJ0OmE6bzo3MDdlYWUxZmNiMWE4NGM2NDcxZmRlNDg3ZTUxY2JjYTo2OjU2ZmU6MDgyM2JkMDdhODNlYmJmNmUzNjM4OTliYmRiYzFiNjhjNzY2ODJiOTA1YTY1YTNmYmQ4OTEzMDViYjcxNTA0MTpoOkY6Tg> . 


Motion Begins


MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

*	https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c <https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c___.YXAzOmRpZ2ljZXJ0OmE6bzo3MDdlYWUxZmNiMWE4NGM2NDcxZmRlNDg3ZTUxY2JjYTo2OjVjMjI6ODQ3OWU0MzMzMDM4YmE1ZmEyZjFlZGRkNzFkZmU2OWNhMzBlNTYxYzNlMjNlOTUwNDA4OWM4NjFkNWRkMjMwYjpoOkY6Tg> 


Motion Ends


This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:


Discussion (at least 7 days)


*	Start time: August 6, 2024 17:00 UTC
*	End time: on or after August 13, 2024 17:00 UTC


Vote for approval (7 days)


*	Start time: August 13, 2024 17:00 UTC
*	End time: August 20, 2024 17:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/2ebff327/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5231 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/2ebff327/attachment-0001.p7s>

From Marco.Schambach at IdenTrust.com  Thu Aug 15 16:35:30 2024
From: Marco.Schambach at IdenTrust.com (Marco Schambach)
Date: Thu, 15 Aug 2024 16:35:30 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
References: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
Message-ID: <SA1PR09MB1153168DD84EAA05346FFDE42E7802@SA1PR09MB11531.namprd09.prod.outlook.com>

IdenTrust votes ?Yes? on  Ballot SC-077

 

Marco S.

TrustID Program Manager 

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Tuesday, August 13, 2024 1:05 PM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

 


Purpose of Ballot


CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security


Motion


The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files> . 


Motion Begins


MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

*	https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c


Motion Ends


This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:


Discussion (at least 7 days)


*	Start time: August 6, 2024 17:00 UTC
*	End time: on or after August 13, 2024 17:00 UTC


Vote for approval (7 days)


*	Start time: August 13, 2024 17:00 UTC
*	End time: August 20, 2024 17:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/5321af27/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5444 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240815/5321af27/attachment-0001.p7s>

From d-fernandez at izenpe.eus  Fri Aug 16 11:34:12 2024
From: d-fernandez at izenpe.eus (Fernandez Ruperez, David Alvaro)
Date: Fri, 16 Aug 2024 11:34:12 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
References: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
Message-ID: <DU0PR09MB59515352525B9C0D015D8E4B98812@DU0PR09MB5951.eurprd09.prod.outlook.com>

IZENPE votes ?YES? to Ballot SC-077



De: Servercert-wg <servercert-wg-bounces at cabforum.org> En nombre de Clint Wilson via Servercert-wg
Enviado el: martes, 13 de agosto de 2024 19:05
Para: ServerCert CA/BF <servercert-wg at cabforum.org>
Asunto: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References




Purpose of Ballot


CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

*       WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
*       WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security


Motion


The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.


Motion Begins


MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

*       https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c


Motion Ends


This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:


Discussion (at least 7 days)


*       Start time: August 6, 2024 17:00 UTC
*       End time: on or after August 13, 2024 17:00 UTC


Vote for approval (7 days)


*       Start time: August 13, 2024 17:00 UTC
*       End time: August 20, 2024 17:00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240816/839ccdf4/attachment-0001.html>

From andreaholland at vikingcloud.com  Fri Aug 16 15:13:37 2024
From: andreaholland at vikingcloud.com (Andrea Holland)
Date: Fri, 16 Aug 2024 15:13:37 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001915af7bf74-88282ee1-2325-4930-8bcd-a24dc7c61188-000000@email.amazonses.com>
References: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
 <010001915af7bf74-88282ee1-2325-4930-8bcd-a24dc7c61188-000000@email.amazonses.com>
Message-ID: <PR3PR07MB82091F113AF4E37D40738C38A1812@PR3PR07MB8209.eurprd07.prod.outlook.com>

VikingCloud votes Yes to SC-077.

Regards,
Andrea Holland


De: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> En nombre de Clint Wilson via Servercert-wg
Enviado el: martes, 13 de agosto de 2024 19:05
Para: ServerCert CA/BF <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Asunto: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC





Company Registration Details
VikingCloud is the registered business name of Sysxnet Limited. Sysxnet Limited is registered in Ireland under company registration number 147176 and its registered office is at 1st Floor, Block 71a, The Plaza, Park West Business Park, Dublin 12, Ireland.

Email Disclaimer
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sysxnet Limited is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240816/1c9970ba/attachment-0001.html>

From infra-bot at cabforum.org  Sun Aug 18 07:34:45 2024
From: infra-bot at cabforum.org (Infrastructure Bot)
Date: Sun, 18 Aug 2024 07:34:45 +0000
Subject: [Servercert-wg] Weekly github digest (Server Certificate Working
	Group)
Message-ID: <010001916468f5ac-c5f88b3c-2b1f-42ca-8f83-23412c694073-000000@email.amazonses.com>






Pull requests
-------------
* cabforum/servercert (+0/-0/?1)
  1 pull requests received 1 new comments:
  - #535 Ballot SC-76: Clarify and improve OCSP requirements (1 by aarongable)
    https://github.com/cabforum/servercert/pull/535 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/cabforum/servercert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240818/9d89e770/attachment.html>

From rollin.yu at trustasia.com  Mon Aug 19 01:41:49 2024
From: rollin.yu at trustasia.com (Rollin.Yu)
Date: Mon, 19 Aug 2024 01:41:49 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32d98-c1b3c4e1-8f92-4658-9f51-696aa19c8101-000000@email.amazonses.com>
References: <010001914cb32d98-c1b3c4e1-8f92-4658-9f51-696aa19c8101-000000@email.amazonses.com>
Message-ID: <DC0CCE91-5E6D-428C-9F08-765DA66C67D1@trustasia.com>

TrustAsia votes YES on Ballot SC-077.

Best regards,
Rollin Yu





> On Aug 14, 2024, at 01:04, Clint Wilson via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> Purpose of Ballot
> 
> CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.
> 
> This ballot modifies Section 8.4 to allow for a CA to be audited against either:
> 
> WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
> WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
> Motion
> 
> The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
> 
> You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files>. 
> 
> Motion Begins
> 
> MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:
> 
> https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
> Motion Ends
> 
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
> 
> Discussion (at least 7 days)
> 
> Start time: August 6, 2024 17:00 UTC
> End time: on or after August 13, 2024 17:00 UTC
> Vote for approval (7 days)
> 
> Start time: August 13, 2024 17:00 UTC
> End time: August 20, 2024 17:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240819/c9d2188c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3668 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240819/c9d2188c/attachment.p7s>

From fumia-ono at secom.co.jp  Mon Aug 19 03:01:00 2024
From: fumia-ono at secom.co.jp (=?iso-2022-jp?B?GyRCQmdMbhsoQiAbJEJKOD40GyhC?=)
Date: Mon, 19 Aug 2024 03:01:00 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
References: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
Message-ID: <TYCP286MB2733741A927306C4D85ED734AE8C2@TYCP286MB2733.JPNP286.PROD.OUTLOOK.COM>

SECOM Trust Systems votes YES on Ballot SC-077.

Best Regards,

ONO, Fumiaki
SECOM Trust Systems Co., Ltd.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Wednesday, August 14, 2024 2:05 AM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities - SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities - Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240819/5ebb66df/attachment-0001.html>

From dzacharo at harica.gr  Mon Aug 19 10:14:14 2024
From: dzacharo at harica.gr (Dimitris Zacharopoulos (HARICA))
Date: Mon, 19 Aug 2024 13:14:14 +0300
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
References: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
Message-ID: <f5c7d7a4-e86c-45ac-931e-aabff5e6974e@harica.gr>

HARICA votes "yes" to ballot SC-077.


On 13/8/2024 8:05 ?.?., Clint Wilson via Servercert-wg wrote:
>
>
>       Purpose of Ballot
>
> CPA Canada has separated the audit criteria which map to the Network 
> and Certificate System Security Requirements (NCSSRs) from the audit 
> criteria which map to the TLS Baseline Requirements (TBRs). As a 
> result, the requirements in Section 8.4 are out of date for audits 
> which use the updated/separated audit criteria. However, we also need 
> to ensure the combined audit criteria are able to be used until fully 
> deprecated by CPA Canada and/or Root Programs stop accepting them.
>
> This ballot modifies Section 8.4 to allow for a CA to be audited 
> against either:
>
>   * WebTrust Principles and Criteria for Certification Authorities ?
>     SSL Baseline with Network Security; or
>   * WebTrust Principles and Criteria for Certification Authorities ?
>     SSL Baseline AND WebTrust Principles and Criteria for
>     Certification Authorities ? Network Security
>
>
>       Motion
>
> The following motion has been proposed by Clint Wilson (Apple) and 
> endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White 
> (Amazon)
>
> You can view and comment on the Github pull request representing this 
> ballot here <https://github.com/cabforum/servercert/pull/514/files>.
>
>
>       Motion Begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted TLS Server Certificates" ("TLS Baseline 
> Requirements") based on Version 2.0.5 as specified in the following 
> redline:
>
>   * https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
>
>
>       Motion Ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for 
> approval of this ballot is as follows:
>
>
>       Discussion (at least 7 days)
>
>   * Start time: August 6, 2024 17:00 UTC
>   * End time: on or after August 13, 2024 17:00 UTC
>
>
>       Vote for approval (7 days)
>
>   * Start time: August 13, 2024 17:00 UTC
>   * End time: August 20, 2024 17:00 UTC
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240819/7e180c48/attachment.html>

From Mads.Henriksveen at buypass.no  Mon Aug 19 20:59:02 2024
From: Mads.Henriksveen at buypass.no (Mads Egil Henriksveen)
Date: Mon, 19 Aug 2024 20:59:02 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb33b6e-5dd797f4-4c90-4855-9bc7-5f7f131d6826-000000@email.amazonses.com>
References: <010001914cb33b6e-5dd797f4-4c90-4855-9bc7-5f7f131d6826-000000@email.amazonses.com>
Message-ID: <SVAP279MB0126EBEE85D6E85CA7743570E78C2@SVAP279MB0126.NORP279.PROD.OUTLOOK.COM>

Buypass votes YES on ballot SC-077.

Regards
Mads

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: tirsdag 13. august 2024 19:05
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities - SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities - Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240819/837667ff/attachment.html>

From ryandickson at google.com  Tue Aug 20 00:00:38 2024
From: ryandickson at google.com (Ryan Dickson)
Date: Mon, 19 Aug 2024 20:00:38 -0400
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
References: <010001914cb32c85-d41baaec-6287-4eec-a46c-9933fdb54b65-000000@email.amazonses.com>
Message-ID: <CADEW5O-rH7exqsPSznEG0BMT=xpma6UgTREG21KpFvp-PAS5=Q@mail.gmail.com>

Google votes YES on Ballot SC-077.

On Tue, Aug 13, 2024 at 1:05?PM Clint Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Purpose of Ballot
>
> CPA Canada has separated the audit criteria which map to the Network and
> Certificate System Security Requirements (NCSSRs) from the audit criteria
> which map to the TLS Baseline Requirements (TBRs). As a result, the
> requirements in Section 8.4 are out of date for audits which use the
> updated/separated audit criteria. However, we also need to ensure the
> combined audit criteria are able to be used until fully deprecated by CPA
> Canada and/or Root Programs stop accepting them.
>
> This ballot modifies Section 8.4 to allow for a CA to be audited against
> either:
>
>    - WebTrust Principles and Criteria for Certification Authorities ? SSL
>    Baseline with Network Security; or
>    - WebTrust Principles and Criteria for Certification Authorities ? SSL
>    Baseline AND WebTrust Principles and Criteria for Certification Authorities
>    ? Network Security
>
> Motion
>
> The following motion has been proposed by Clint Wilson (Apple) and
> endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
>
> You can view and comment on the Github pull request representing this
> ballot here <https://github.com/cabforum/servercert/pull/514/files>.
> Motion Begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements")
> based on Version 2.0.5 as specified in the following redline:
>
>    -
>    https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
>
> Motion Ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
> Discussion (at least 7 days)
>
>    - Start time: August 6, 2024 17:00 UTC
>    - End time: on or after August 13, 2024 17:00 UTC
>
> Vote for approval (7 days)
>
>    - Start time: August 13, 2024 17:00 UTC
>    - End time: August 20, 2024 17:00 UTC
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240819/849cbf00/attachment-0001.html>

From chtsai at twca.com.tw  Tue Aug 20 00:16:32 2024
From: chtsai at twca.com.tw (=?utf-8?B?6JSh5a625a6PKGNodHNhaSk=?=)
Date: Tue, 20 Aug 2024 00:16:32 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb34318-055b92e5-46a0-4a70-a1a2-e9178fbc3d1c-000000@email.amazonses.com>
References: <010001914cb34318-055b92e5-46a0-4a70-a1a2-e9178fbc3d1c-000000@email.amazonses.com>
Message-ID: <d2ba6ae11c314a7e87c2e50676f042e1@twca.com.tw>

TWCA votes YES on ballot SC-077.

Best regards,
ChtaHung Tsai

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Clint Wilson via Servercert-wg
Sent: Wednesday, August 14, 2024 1:05 AM
To: ServerCert CA/BF <servercert-wg at cabforum.org>
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
  *   WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security

Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here<https://github.com/cabforum/servercert/pull/514/files>.

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

  *   https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)

  *   Start time: August 6, 2024 17:00 UTC
  *   End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)

  *   Start time: August 13, 2024 17:00 UTC
  *   End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240820/190b366d/attachment.html>

From qiudawei at cfca.com.cn  Tue Aug 20 01:24:27 2024
From: qiudawei at cfca.com.cn (=?UTF-8?B?5LuH5aSn5Lyf?=)
Date: Tue, 20 Aug 2024 09:24:27 +0800 (GMT+08:00)
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb33b6e-5dd797f4-4c90-4855-9bc7-5f7f131d6826-000000@email.amazonses.com>
References: <010001914cb33b6e-5dd797f4-4c90-4855-9bc7-5f7f131d6826-000000@email.amazonses.com>
Message-ID: <64536358.145c.1916d62a624.Coremail.qiudawei@cfca.com.cn>

CFCA votes Yes to SC-077.


-----????-----
???:"Clint Wilson via Servercert-wg" <servercert-wg at cabforum.org>
????:2024-08-14 01:05:00 (???)
???: "ServerCert CA/BF" <servercert-wg at cabforum.org>
??: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References


Purpose of Ballot

CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.

This ballot modifies Section 8.4 to allow for a CA to be audited against either:

WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
Motion

The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)


You can view and comment on the Github pull request representing this ballot here. 

Motion Begins

MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:

https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion (at least 7 days)
Start time: August 6, 2024 17:00 UTC

End time: on or after August 13, 2024 17:00 UTC

Vote for approval (7 days)
Start time: August 13, 2024 17:00 UTC
End time: August 20, 2024 17:00 UTC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240820/a137208c/attachment-0001.html>

From xu_lei at itrus.cn  Tue Aug 20 05:21:15 2024
From: xu_lei at itrus.cn (xu_lei at itrus.cn)
Date: Tue, 20 Aug 2024 13:21:15 +0800
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
	WebTrust Audit name in Section 8.4 and References
References: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
Message-ID: <202408201321143054272@itrus.cn>

iTrusChina votes YES on ballot SC-077


 
From: Clint Wilson via Servercert-wg
Date: 2024-08-14 01:05
To: ServerCert CA/BF
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References
Purpose of Ballot
CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.
This ballot modifies Section 8.4 to allow for a CA to be audited against either:
WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
Motion
The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
You can view and comment on the Github pull request representing this ballot here. 
Motion Begins
MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:
https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c
Motion Ends
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
Start time: August 6, 2024 17:00 UTC
End time: on or after August 13, 2024 17:00 UTC
Vote for approval (7 days)
Start time: August 13, 2024 17:00 UTC
End time: August 20, 2024 17:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240820/1222ce7d/attachment.html>

From yoshihiko at jprs.co.jp  Tue Aug 20 06:01:20 2024
From: yoshihiko at jprs.co.jp (Yoshihiko Matsuo)
Date: Tue, 20 Aug 2024 15:01:20 +0900
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
References: <010001914cb33e1f-cfe308c6-0d8f-476e-9407-5895f4741780-000000@email.amazonses.com>
Message-ID: <4142ea46-0c2b-4184-a368-22679dbfaf61@jprs.co.jp>

JPRS votes YES to Ballot SC-077.

Yoshihiko Matsuo


On 2024/08/14 2:05, Clint Wilson via Servercert-wg wrote:
> 
>       Purpose of Ballot
> 
> CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them.
> 
> This ballot modifies Section 8.4 to allow for a CA to be audited against either:
> 
>   * WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or
>   * WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security
> 
> 
>       Motion
> 
> The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)
> 
> You can view and comment on the Github pull request representing this ballot here <https://github.com/cabforum/servercert/pull/514/files>.
> 
> 
>       Motion Begins
> 
> MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline:
> 
>   * https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c <https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c>
> 
> 
>       Motion Ends
> 
> This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
> 
> 
>       Discussion (at least 7 days)
> 
>   * Start time: August 6, 2024 17:00 UTC
>   * End time: on or after August 13, 2024 17:00 UTC
> 
> 
>       Vote for approval (7 days)
> 
>   * Start time: August 13, 2024 17:00 UTC
>   * End time: August 20, 2024 17:00 UTC
> 
> 
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg


From aaron at letsencrypt.org  Thu Aug 22 16:27:26 2024
From: aaron at letsencrypt.org (Aaron Gable)
Date: Thu, 22 Aug 2024 09:27:26 -0700
Subject: [Servercert-wg] Discussion Period Begins: Ballot SC-076 "Clarify
	and Improve OCSP Requirements"
Message-ID: <CAEmnEreUba9mxwtWWFwvuVk9+OA98SKQxux32-RHzss0o0=pgQ@mail.gmail.com>

*Purpose of Ballot*

This ballot attempts to address three concerns:
- The confusion around "reserved" serials, which do not actually exist
because all Precertificate serials are assumed to also exist in
corresponding Certificates and are therefore actually "assigned";
- Confusion around whether, and how quickly, OCSP responders must begin
providing authoritative responses for Certificates and Precertificates; and
- Confusion around whether and how the OCSP requirements apply to
Certificates which do not contain an AIA OCSP URL, but for which the CA's
OCSP responder is still willing to provide responses.

These concerns have been previously discussed in this Mozilla policy bug
<https://github.com/mozilla/pkipolicy/issues/280>, this ServerCert WG bug
<https://github.com/cabforum/servercert/issues/422>, and this Bugzilla
incident <https://bugzilla.mozilla.org/show_bug.cgi?id=1905419>.

It addresses these concerns by:
- Stating that OCSP responses must be available within 15 minutes of
signing a certificate containing an AIA OCSP URL;
- Removing the concept of a "reserved" serial entirely;
- Moving all OCSP requirements into Section 4.9.9, leaving Section 4.9.10
(which RFC 3647 says is meant to place requirements on relying parties, not
on CAs) empty; and
- Organizing the requirements in Section 4.9.9 into three clusters:
  - Definitions of "validity interval", "assigned", and "unassigned";
  - Requirements on OCSP Responders, which apply only to responses from AIA
OCSP URLs found in issued certs; and
  - Requirements on OCSP Responses, which apply to all responses regardless
of whether the certificate in question has an AIA OCSP URL.

GitHub PR representing this ballot:
https://github.com/cabforum/servercert/pull/535
Rendered view of the resulting text:
https://github.com/cabforum/servercert/blob/f61814473a1340774aec4022a6cbfe1fa2616458/docs/BR.md#499-on-line-revocationstatus-checking-availability

*Motion*

The following motion has been proposed by Aaron Gable (Let's Encrypt /
ISRG), and is endorsed by Ben Wilson (Mozilla) and Antonis Eleftheriadis
(HARICA).

*Motion Begins*

Modify the "Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates", based on Version 2.0.6, as
specified in the following redline:

https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...f61814473a1340774aec4022a6cbfe1fa2616458

*Motion Ends*

This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:


*Discussion Period (at least 7 days)*

Start: August 22, 2024 16:30 UTC
End: on or after August 29, 2024 16:30 UTC

*Voting Period (7 days)*

Start: TBD
End: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240822/4877e65a/attachment.html>

From infra-bot at cabforum.org  Sun Aug 25 07:36:04 2024
From: infra-bot at cabforum.org (Infrastructure Bot)
Date: Sun, 25 Aug 2024 07:36:04 +0000
Subject: [Servercert-wg] Weekly github digest (Server Certificate Working
	Group)
Message-ID: <010001918876ad2e-ebe6b04d-47d0-443b-8f87-066b9830ebed-000000@email.amazonses.com>




Issues
------
* cabforum/servercert (+4/-0/?5)
  4 issues created:
  - Undefined term "Eligible Audit Scheme" in Section 8.2 (by clintwilson)
    https://github.com/cabforum/servercert/issues/541 [clean-up] [definitions-candidate] 
  - Section 7.1.2.8.8 is redundant (by robstradling)
    https://github.com/cabforum/servercert/issues/540 
  - One or more Reserved Certificate Policy Identifier (by XolphinMartijn)
    https://github.com/cabforum/servercert/issues/539 [baseline-requirements] [clean-up] 
  - CA Certificate Certificate Policies use of Profile (by XolphinMartijn)
    https://github.com/cabforum/servercert/issues/538 

  4 issues received 5 new comments:
  - #541 Undefined term "Eligible Audit Scheme" in Section 8.2 (1 by github-actions)
    https://github.com/cabforum/servercert/issues/541 [clean-up] [definitions-candidate] 
  - #540 Section 7.1.2.8.8 is redundant (2 by github-actions, robstradling)
    https://github.com/cabforum/servercert/issues/540 
  - #539 One or more Reserved Certificate Policy Identifier (1 by github-actions)
    https://github.com/cabforum/servercert/issues/539 [baseline-requirements] [clean-up] 
  - #538 CA Certificate Certificate Policies use of Profile (1 by github-actions)
    https://github.com/cabforum/servercert/issues/538 



Pull requests
-------------
* cabforum/servercert (+0/-0/?1)
  1 pull requests received 1 new comments:
  - #534 Update BR.md (1 by ENEN-DTR)
    https://github.com/cabforum/servercert/pull/534 


Repositories tracked by this digest:
-----------------------------------
* https://github.com/cabforum/servercert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240825/961ccfcf/attachment.html>

From Inigo.Barreira at sectigo.com  Mon Aug 26 12:58:23 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Mon, 26 Aug 2024 12:58:23 +0000
Subject: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update
 WebTrust Audit name in Section 8.4 and References
In-Reply-To: <010001916d62dd3b-8cf7d9f7-d521-4753-a7e7-bf32f388d115-000000@email.amazonses.com>
References: <010001914cb33b6e-5dd797f4-4c90-4855-9bc7-5f7f131d6826-000000@email.amazonses.com>
 <010001916d62dd3b-8cf7d9f7-d521-4753-a7e7-bf32f388d115-000000@email.amazonses.com>
Message-ID: <DM4PR17MB6160C9A374B9F255F9895D63818B2@DM4PR17MB6160.namprd17.prod.outlook.com>

Hi there,

 

I can?t count this vote because you?re not listed as a server cert voting representative, only for S/MIME and Forum ballots. I think it could be an error and can be fixed quickly but unfortunately can?t count this vote. Sorry for that.

 

Regards

 

De: Servercert-wg <servercert-wg-bounces at cabforum.org> En nombre de ??? via Servercert-wg
Enviado el: martes, 20 de agosto de 2024 3:25
Para: Clint Wilson <clintw at apple.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Asunto: Re: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

CFCA votes Yes to SC-077.





-----????-----
???: "Clint Wilson via Servercert-wg" <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
????: 2024-08-14 01:05:00 (???)
???: "ServerCert CA/BF" <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
??: [Servercert-wg] VOTING Period Begins - Ballot SC-077: Update WebTrust Audit name in Section 8.4 and References


Purpose of Ballot 


CPA Canada has separated the audit criteria which map to the Network and Certificate System Security Requirements (NCSSRs) from the audit criteria which map to the TLS Baseline Requirements (TBRs). As a result, the requirements in Section 8.4 are out of date for audits which use the updated/separated audit criteria. However, we also need to ensure the combined audit criteria are able to be used until fully deprecated by CPA Canada and/or Root Programs stop accepting them. 

This ballot modifies Section 8.4 to allow for a CA to be audited against either: 

*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline with Network Security; or 
*	WebTrust Principles and Criteria for Certification Authorities ? SSL Baseline AND WebTrust Principles and Criteria for Certification Authorities ? Network Security 


Motion 


The following motion has been proposed by Clint Wilson (Apple) and endorsed by Dimitris Zacharopoulos (HARICA) and Trevoli Ponds-White (Amazon)

You can view and comment on the Github pull request representing this ballot here <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fpull%2F514%2Ffiles&data=05%7C02%7Cinigo.barreira%40sectigo.com%7Ca1ff0a5291ce42ea874608dcc0b6def1%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638597138871712177%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=i6PT3JozPR3PsqeoYenB2jXppqn9x9xjW9S0gD9HUac%3D&reserved=0> .  


Motion Begins 


MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.5 as specified in the following redline: 

*	https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...a9d3e3b6e514cf8b4d44ace625a447108c04a91c 


Motion Ends 


This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows: 


Discussion (at least 7 days) 


*	Start time: August 6, 2024 17:00 UTC
*	End time: on or after August 13, 2024 17:00 UTC


Vote for approval (7 days) 


*	Start time: August 13, 2024 17:00 UTC 
*	End time: August 20, 2024 17:00 UTC 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240826/68442188/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240826/68442188/attachment-0001.p7s>

From Inigo.Barreira at sectigo.com  Mon Aug 26 14:01:27 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Mon, 26 Aug 2024 14:01:27 +0000
Subject: [Servercert-wg] Results of the ballot SC77: Update WebTrust Audit
 name in Section 8.4 and References
Message-ID: <DM4PR17MB616098AD054362BE307F80E7818B2@DM4PR17MB6160.namprd17.prod.outlook.com>

Hi

 

The voting period for SC77 (Update WebTrust Audit name in Section 8.4 and
References) has completed, and the ballot has passed.

 

Voting Results

Certificate Issuers

22 votes total, with no abstentions:

*	22 Issuers voting YES: Amazon, Buypass, Chunghwa Telecom, CommScope,
DigiCert, eMudhra, Entrust, Fastly, GlobalSign, GoDaddy, HARICA, IdenTrust,
iTrusChina, Izenpe, JPRS, OISTE, SECOM, Sectigo, SSL.com, TrustAsia, TWCA,
VikingCloud
*	0 Issuers voting NO
*	0 Issuers ABSTAIN

Certificate Consumers

3 votes total, with no abstentions:

*	3 Consumers voting YES: Apple, Google, Mozilla
*	0 Consumers voting NO
*	0 Consumers ABSTAIN

Bylaws Requirements

1.	Bylaw 2.3(6) requires:

*	In order for a ballot to be adopted by the Forum, two?thirds (2/3)
or more of the votes cast by the Voting Members in the Certificate Issuer
category must be in favour of the ballot. This requirement was MET.
*	at least fifty percent (50%) plus one (1) of the votes cast by the
Voting Members in the Certificate Consumer category must be in favour of the
ballot. This requirement was MET.
*	At least one (1) Voting Member in each category must vote in favour
of a ballot for the ballot to be adopted. This requirement was MET.

2.	Bylaw 2.3(7) requires:

*	A ballot result will be considered valid only when more than half of
the number of currently active Voting Members has participated. The number
of currently active Voting Members is the average number of Voting Member
organizations that have participated in the previous three (3) Forum
Meetings and Forum Teleconferences.

*	the quorum was 14 for this ballot. This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to
review the ballot for relevant IP rights issues. This will be notified in a
separate email.

 

Regards

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240826/d2b1d7e0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240826/d2b1d7e0/attachment-0001.p7s>

From Inigo.Barreira at sectigo.com  Wed Aug 28 14:49:23 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Wed, 28 Aug 2024 14:49:23 +0000
Subject: [Servercert-wg] Final SCWG agenda for August 29th
In-Reply-To: <DM4PR17MB6160E7AA1D27C1F5C8773DDC818B2@DM4PR17MB6160.namprd17.prod.outlook.com>
References: <0100018f054a61dd-b8df4c9d-ff43-4c3e-852f-0d265c84a98d-000000@email.amazonses.com>
 <DM4PR17MB61600E5E143F1192E82F79D381122@DM4PR17MB6160.namprd17.prod.outlook.com>
 <DM4PR17MB6160577469F3246E92D503EA811C2@DM4PR17MB6160.namprd17.prod.outlook.com>
 <DM4PR17MB6160BE2D1253F7EB53C0C55881FF2@DM4PR17MB6160.namprd17.prod.outlook.com>
 <DM4PR17MB6160F648D56806C34979EAE281CD2@DM4PR17MB6160.namprd17.prod.outlook.com>
 <DM4PR17MB61602A3EFA4476C7B54947F5818B2@DM4PR17MB6160.namprd17.prod.outlook.com>
 <DM4PR17MB6160E7AA1D27C1F5C8773DDC818B2@DM4PR17MB6160.namprd17.prod.outlook.com>
Message-ID: <DM4PR17MB616064C60C667EF164E286A081952@DM4PR17MB6160.namprd17.prod.outlook.com>

Here is the final agenda for the subject call. Clint Wilson is scheduled to
take minutes.

 

Server Certificate Working Group Agenda ? 29 August 2024

1.	Begin Recording and Roll Call 
2.	Read Note-well 
3.	Review Agenda 
4.	Minutes:

*	Minutes from SCWG call August 1st circulated on August 5th.

5.	Membership:

*	Christopher Stinson as Interested Party. Applied on July 2nd.
*	Rob Brady as Interested Party. Applied on August 22nd.

6.	Issues/topics to discuss

*	GitHub?s open issues triage (10 issues per call min), starting on
#450
*	PAG update

7.	Ballot Status ? see list below
8.	Any Other Business
9.	Next call: Sept 12th 
10.	Adjourn

CURRENT STATUS OF BALLOTS 

*	Passed

*	SC77: Update WebTrust Audit name in Section 8.4 and References

*	Failed

*	None

*	Voting Period

*	None

*	Discussion Period

*	SC76: Clarify and improve OCSP requirements

*	Review Period 

*	SC71: Terms of Use

*	Draft / Under Consideration

*	SCXX ? Profiles cleanup ballot ? on hold

 

 

-- 
You received this message because you are subscribed to the Google Groups
"Management (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to  <mailto:management+unsubscribe at groups.cabforum.org>
management+unsubscribe at groups.cabforum.org.
To view this discussion on the web visit
<https://groups.google.com/a/groups.cabforum.org/d/msgid/management/DM4PR17M
B6160E7AA1D27C1F5C8773DDC818B2%40DM4PR17MB6160.namprd17.prod.outlook.com?utm
_medium=email&utm_source=footer>
https://groups.google.com/a/groups.cabforum.org/d/msgid/management/DM4PR17MB
6160E7AA1D27C1F5C8773DDC818B2%40DM4PR17MB6160.namprd17.prod.outlook.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240828/5c40e2c9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240828/5c40e2c9/attachment-0001.p7s>

From trevolip at amazon.com  Wed Aug 28 19:41:35 2024
From: trevolip at amazon.com (Ponds-White, Trev)
Date: Wed, 28 Aug 2024 19:41:35 +0000
Subject: [Servercert-wg] Discussion Period Begins: Ballot SC-076
 "Clarify	and Improve OCSP Requirements"
In-Reply-To: <010001917aea53f3-757a545a-f3a0-4b75-92d6-46f71db6f9b3-000000@email.amazonses.com>
References: <010001917aea53f3-757a545a-f3a0-4b75-92d6-46f71db6f9b3-000000@email.amazonses.com>
Message-ID: <6ca84cfb6db24a9282e52b752ce229cf@amazon.com>

Hi Aaron G.,

We have some feedback on the ballot.

Can you add the word ?first? into the sentence about 15 minutes to reinforce that we are discussing just the first published response. Not responses associated with status changes. We think this will improve clarity and future litigation of this requirements. So the new sentence would read ?starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available.?

Do we need ?using any current or previous key associated with that CA subject;?? What is additional clarity is that trying to provide? It kind of reads as an endorsement of reusing keys for new CAs.

When we read the lines starting at line 1391 we thought it might be more clear if there was a line break after the first sentence. So it would look like this instead:

?If the OCSP responder receives a request for the status of a certificate serial number that is "unassigned", then the responder SHOULD NOT respond with a "good" status.

If the OCSP responder is for a CA that is not Technically Constrained in line with [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), the responder MUST NOT respond with a "good" status for such requests."

Thanks!
Trevoli Ponds-White

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Aaron Gable via Servercert-wg
Sent: Thursday, August 22, 2024 9:28 AM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL] [Servercert-wg] Discussion Period Begins: Ballot SC-076 "Clarify and Improve OCSP Requirements"


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Purpose of Ballot

This ballot attempts to address three concerns:
- The confusion around "reserved" serials, which do not actually exist because all Precertificate serials are assumed to also exist in corresponding Certificates and are therefore actually "assigned";
- Confusion around whether, and how quickly, OCSP responders must begin providing authoritative responses for Certificates and Precertificates; and
- Confusion around whether and how the OCSP requirements apply to Certificates which do not contain an AIA OCSP URL, but for which the CA's OCSP responder is still willing to provide responses.

These concerns have been previously discussed in this Mozilla policy bug<https://github.com/mozilla/pkipolicy/issues/280>, this ServerCert WG bug<https://github.com/cabforum/servercert/issues/422>, and this Bugzilla incident<https://bugzilla.mozilla.org/show_bug.cgi?id=1905419>.

It addresses these concerns by:
- Stating that OCSP responses must be available within 15 minutes of signing a certificate containing an AIA OCSP URL;
- Removing the concept of a "reserved" serial entirely;
- Moving all OCSP requirements into Section 4.9.9, leaving Section 4.9.10 (which RFC 3647 says is meant to place requirements on relying parties, not on CAs) empty; and
- Organizing the requirements in Section 4.9.9 into three clusters:
  - Definitions of "validity interval", "assigned", and "unassigned";
  - Requirements on OCSP Responders, which apply only to responses from AIA OCSP URLs found in issued certs; and
  - Requirements on OCSP Responses, which apply to all responses regardless of whether the certificate in question has an AIA OCSP URL.

GitHub PR representing this ballot: https://github.com/cabforum/servercert/pull/535
Rendered view of the resulting text: https://github.com/cabforum/servercert/blob/f61814473a1340774aec4022a6cbfe1fa2616458/docs/BR.md#499-on-line-revocationstatus-checking-availability

Motion

The following motion has been proposed by Aaron Gable (Let's Encrypt / ISRG), and is endorsed by Ben Wilson (Mozilla) and Antonis Eleftheriadis (HARICA).

Motion Begins

Modify the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates", based on Version 2.0.6, as specified in the following redline:

https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...f61814473a1340774aec4022a6cbfe1fa2616458

Motion Ends

This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:

Discussion Period (at least 7 days)

Start: August 22, 2024 16:30 UTC
End: on or after August 29, 2024 16:30 UTC

Voting Period (7 days)

Start: TBD
End: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240828/c2b2e30a/attachment.html>

From aaron at letsencrypt.org  Wed Aug 28 23:10:52 2024
From: aaron at letsencrypt.org (Aaron Gable)
Date: Wed, 28 Aug 2024 16:10:52 -0700
Subject: [Servercert-wg] Discussion Period Begins: Ballot SC-076
 "Clarify and Improve OCSP Requirements"
In-Reply-To: <6ca84cfb6db24a9282e52b752ce229cf@amazon.com>
References: <010001917aea53f3-757a545a-f3a0-4b75-92d6-46f71db6f9b3-000000@email.amazonses.com>
 <6ca84cfb6db24a9282e52b752ce229cf@amazon.com>
Message-ID: <CAEmnErdrARmFV=urh+beXCPiCPgRHH0aeQjiZy_hqf8eF5Zq=Q@mail.gmail.com>

Hi Trevoli, thanks for the feedback!

All: since it looks like we're going to have to create a V2 ballot and
re-start the discussion period, please provide any other feedback that you
have ASAP so that all feedback can be incorporated before I begin V2.

On Wed, Aug 28, 2024 at 12:41?PM Ponds-White, Trev <trevolip at amazon.com>
wrote:

> Hi Aaron G.,
>
>
>
> We have some feedback on the ballot.
>
> Can you add the word ?first? into the sentence about 15 minutes to
> reinforce that we are discussing just the first published response. Not
> responses associated with status changes. We think this will improve
> clarity and future litigation of this requirements. So the new sentence
> would read ?starting no more than 15 minutes after the Certificate or
> Precertificate is *first* published or otherwise made available.?
>

Happy to make this change.


>
> Do we need ?using any current or previous key associated with that CA
> subject;?? What is additional clarity is that trying to provide? It kind of
> reads as an endorsement of reusing keys for new CAs.
>

This line is carried forward from the existing language, and I didn't feel
like I had a strong reason to change it. But I'm happy to remove it (serial
uniqueness is covered by RFC 5280) since others think it is superfluous.


>
> When we read the lines starting at line 1391 we thought it might be more
> clear if there was a line break after the first sentence. So it would look
> like this instead:
>
> ?If the OCSP responder receives a request for the status of a certificate
> serial number that is "unassigned", then the responder SHOULD NOT respond
> with a "good" status.
>
> If the OCSP responder is for a CA that is not Technically Constrained in
> line with [Section
> 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile)
> or [Section
> 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile),
> the responder MUST NOT respond with a "good" status for such requests."
>

I'd actually prefer not to make this change. The second sentence ends with
"...for such requests", and I think it is important that the antecedent of
that phrase be within the same paragraph.

Thanks,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240828/6ec5a5c6/attachment-0001.html>

From Inigo.Barreira at sectigo.com  Thu Aug 29 16:46:09 2024
From: Inigo.Barreira at sectigo.com (Inigo Barreira)
Date: Thu, 29 Aug 2024 16:46:09 +0000
Subject: [Servercert-wg] Final Minutes of CA/Browser Forum Server
 Certificate Working Group Teleconference of August 1, 2024
In-Reply-To: <febf9df9-2c5a-4e5e-a65d-0cd2ca12d056@harica.gr>
References: <939420314.1317455.1705600499451@ij-reminder-cc55f4848-5sqgx>
 <3308af8a-b257-49c8-b89c-e750ef71043c@harica.gr>
 <f399d2ad-72a6-45d4-a6c3-a5d2dcd08225@harica.gr>
 <E050CEB2-C733-4F0B-883D-607366017CA3@apple.com>
 <febf9df9-2c5a-4e5e-a65d-0cd2ca12d056@harica.gr>
Message-ID: <DM4PR17MB6160296DC635A47001FDFF5281962@DM4PR17MB6160.namprd17.prod.outlook.com>

These are the Final Minutes of the Teleconference described in the subject
of this message.


Attendees


Aaron Gable - (Let's Encrypt), Aaron Poulsen - (Amazon), Adam Jones -
(Microsoft), Adriano Santoni - (Actalis S.p.A.), Ben Wilson - (Mozilla),
Brianca Martin - (Amazon), Clint Wilson - (Apple), Corey Bonnell -
(DigiCert), Corey Rasmussen - (OATI), Dean Coclin - (DigiCert), Dimitris
Zacharopoulos - (HARICA), Dustin Hollenback - (Microsoft), Enrico Entschew -
(D-TRUST), Jaime Hablutzel - (OISTE Foundation), Janet Hines -
(VikingCloud), Ji Eun Seong - (MOIS (Ministry of Interior and Safety) of the
republic of Korea), Johnny Reading - (GoDaddy), Luis Cervantes - (GoDaddy),
Mahua Chaudhuri - (Microsoft), Mark Nelson - (IdenTrust), Michelle Coon -
(OATI), Miguel Sanchez - (Google), Mrugesh Chandarana - (IdenTrust), Nate
Smith - (GoDaddy), Nicol So - (CommScope), Nome Huang - (TrustAsia), Paul
van Brouwershaven - (Entrust), Peter Miskovic - (Disig), Rebecca Kelly -
(SSL.com), Rollin Yu - (TrustAsia), Scott Rea - (eMudhra), Stephen Davidson
- (DigiCert), Tadahiko Ito - (SECOM Trust Systems), Tathan Thacker -
(IdenTrust), Thomas Zermeno - (SSL.com), Tobias Josefowitz - (Opera Software
AS), Trevoli Ponds-White - (Amazon), Tsung-Min Kuo - (Chunghwa Telecom),
Wayne Thayer - (Fastly), Wendy Brown - (US Federal PKI Management
Authority).


Read note-well


Inigo read the note-well


Review of Agenda


There was no agenda prepared for this meeting. Inigo just returned from
vacation and Kiran (Microsoft) was supposed to run this call, and the
previous one. The group decided to use last meeting's agenda.


Approval of previous meetings


*	July 18 meeting minutes were approved


Membership


Aaron Gable asked about his June 29 email on the public list about the
Trustcor's membership suspension.

Wayne explained that Trustcor sent an email to the WG Chairs and announced
their resignation from those WGs.

Dimitris stated that according to the SCWG Charter 5c, a Member's suspension
procedure could be triggered by any member. In this particular case, since
the Member has resigned from all WGs, it effectively removes them from the
Forum.

The WG confirmed Trustcor's resignation from the Server Certificate Working
Group.


Ballot Status


*	Ben gave an update from the PAG associated with ballot SC70. The PAG
received an email from GoDaddy that they withdraw their essential claims and
the ballot can continue. The PAG asked GoDaddy to send an email to the
public list confirming the withdrawal of the essential claims. As of this
day, GoDaddy has not sent such an email, although it is possible that they
have not followed the migration of the public mailing list and the change of
the email address.
*	After some discussion, it was suggested that the PAG submits their
opinion to the public list on the SC70 issue, basically stating that GoDaddy
has emailed the PAG that they are withdrawing their essential claims.
*	Tobi said that Opera would expect a legaly binding email from
GoDaddy for the withdrawal of the essential claims. The PAG Chair's
announcement that Godaddy has withdrawn their essential claim may not be
sufficient.
*	Dimitris stated that each Member must evaluate the risks
independently after the PAG's recommendation.
*	Ben agreed to prepare a conclusion, get it through the PAG, and then
send it to the public lists.

Based on that result, Aaron can either go to a second vote, as described in
the Bylaws, or start a new ballot based on SC70.

Trev commented that this ballot should need some more revisions based on
latest discussions regarding DTPs. She stated that the premises of the
existing SC70 ballot are flawed.

Aaron said he would check the IPR and Bylaws for the defined process on
doing a second vote and whether ballot SC70 will go straight to voting or
have a new discussion period.

Dimitris mentioned that if there is at least one member that would like some
additional discussion on this ballot, it would be best to start a new ballot
number.

Regarding the OCSP responses status language, Aaron mentioned
https://github.com/cabforum/servercert/pull/535
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fpull%2F535&data=05%7C02%7Cinigo.barreira%40secti
go.com%7C20148a15874f44bf5fbe08dcb52a4495%7C0e9c48946caa465d96604b6968b49fb7
%7C0%7C0%7C638584440367603341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=aTXCqyz0bJc8
E6MUZNV2uQsyeRm2cc6HPhA9DfehAVA%3D&reserved=0> , calling for more attention
for people to review. Aaron would like to turn it into a ballot in 2 weeks
if there are no objections. He gave a brief explanation of the proposed
changes and asked for feedback.


Issues/topics to discuss


*	Issue https://github.com/cabforum/servercert/issues/449
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fcabforum%2Fservercert%2Fissues%2F449&data=05%7C02%7Cinigo.barreira%40sec
tigo.com%7C20148a15874f44bf5fbe08dcb52a4495%7C0e9c48946caa465d96604b6968b49f
b7%7C0%7C0%7C638584440367613703%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=AVZ%2FMO45
%2BDxRr3kAeCTfkSyn%2BgiEWiEuB396%2BehMaGY%3D&reserved=0> 

Adriano explained that validation of Authority is not part of the
"certificate information".

If a person is a Certificate Requestor on behalf of a Company, can this
confirmation be reused as part of the rest of the validation information? It
is not clear from the current language.

Dimitris replied that in his opinion this authority information can be
re-used according to 4.2.1.

Clint said that validating the authority to authenticate the request, and
this information can be re-used as part of 4.2.1.


Any Other business


No other business.


Next call


The group agreed to cancel the August 15 Teleconference due to National
Holidays in some European Countries. The next scheduled Teleconference is on
August 29, 2024.

Meeting adjurned.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240829/adb98bc3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6630 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240829/adb98bc3/attachment-0001.p7s>

From aaron at letsencrypt.org  Thu Aug 29 19:05:29 2024
From: aaron at letsencrypt.org (Aaron Gable)
Date: Thu, 29 Aug 2024 12:05:29 -0700
Subject: [Servercert-wg] Discussion Period Begins: Ballot SC-076v2 "Clarify
	and Improve OCSP Requirements"
Message-ID: <CAEmnErfTjm1nP-opma8b7R05b_-Jqso316bTec18vUt+L4zKww@mail.gmail.com>

*Purpose of Ballot*

This is v2 of this ballot; you can see the discussion thread for v1 here:
https://lists.cabforum.org/pipermail/servercert-wg/2024-August/004798.html

This ballot attempts to address three concerns:
- The confusion around "reserved" serials, which do not actually exist
because all Precertificate serials are assumed to also exist in
corresponding Certificates and are therefore actually "assigned";
- Confusion around whether, and how quickly, OCSP responders must begin
providing authoritative responses for Certificates and Precertificates; and
- Confusion around whether and how the OCSP requirements apply to
Certificates which do not contain an AIA OCSP URL, but for which the CA's
OCSP responder is still willing to provide responses.

These concerns have been previously discussed in this Mozilla policy bug
<https://github.com/mozilla/pkipolicy/issues/280>, this ServerCert WG bug
<https://github.com/cabforum/servercert/issues/422>, and this Bugzilla
incident <https://bugzilla.mozilla.org/show_bug.cgi?id=1905419>.

It addresses these concerns by:
- Stating that OCSP responses must be available within 15 minutes of
signing a certificate containing an AIA OCSP URL;
- Removing the concept of a "reserved" serial entirely;
- Moving all OCSP requirements into Section 4.9.9, leaving Section 4.9.10
(which RFC 3647 says is meant to place requirements on relying parties, not
on CAs) empty; and
- Organizing the requirements in Section 4.9.9 into three clusters:
  - Definitions of "validity interval", "assigned", and "unassigned";
  - Requirements on OCSP Responders, which apply only to responses from AIA
OCSP URLs found in issued certs; and
  - Requirements on OCSP Responses, which apply to all responses regardless
of whether the certificate in question has an AIA OCSP URL.

GitHub PR representing this ballot:
https://github.com/cabforum/servercert/pull/535
Rendered view of the resulting text:
https://github.com/cabforum/servercert/blob/a8a36690802250cdbe508a6c1f99f700a5357bd3/docs/BR.md#499-on-line-revocationstatus-checking-availability

*Motion*

The following motion has been proposed by Aaron Gable (Let's Encrypt /
ISRG), and is endorsed by Ben Wilson (Mozilla) and Antonis Eleftheriadis
(HARICA).

*Motion Begins*

Modify the "Baseline Requirements for the Issuance and Management of
Publicly-Trusted TLS Server Certificates", based on Version 2.0.6, as
specified in the following redline:

https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...a8a36690802250cdbe508a6c1f99f700a5357bd3

*Motion Ends*

This ballot proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:


*Discussion Period (at least 7 days)*

Start: August 29, 2024 19:00 UTC
End: on or after September 5, 2024 19:00 UTC

*Voting Period (7 days)*

Start: TBD
End: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240829/840fcd76/attachment.html>