[Servercert-wg] [Discussion Period Begins]: SC65: Convert EVGs into RFC 3647 format
Corey Bonnell
Corey.Bonnell at digicert.com
Fri Feb 16 17:50:52 UTC 2024
Hi Inigo,
It appears the hyperlink I provided doesnt immediately highlight the line
(you have to go digging for it). Perhaps explaining it would be easier:
EVG version 1.8.0, section 9.8.2 says:
where the subfields have the same values, meanings, and restrictions
described in Section 9.2.8.
The CA SHALL validate the contents using the requirements in Section 9.2.8.
Section 9.2.8 is Subject Organization Identifier Field.
This draft has in section 7.1.2.2:
where the subfields have the same values, meanings, and restrictions
described in [Section
7.1.4.2.1](#71428-subject-organization-identifier-field). The CA SHALL
validate the contents using the requirements in [Section
7.1.4.2.1](#71428-subject-organization-identifier-field).
Section 7.1.4.2.1 is Subject Organization Name Field. This is not
correct, as it needs to be a reference to section 7.1.4.2.8. It looks like
the link (which is informative) was updated to correctly point to
7.1.4.2.8, but the actual text of the document (which is normative)
specifies the incorrect section number.
Thanks,
Corey
From: Inigo Barreira <Inigo.Barreira at sectigo.com>
Sent: Friday, February 16, 2024 12:40 PM
To: Corey Bonnell <Corey.Bonnell at digicert.com>; CA/B Forum Server
Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: RE: [Servercert-wg] [Discussion Period Begins]: SC65: Convert EVGs
into RFC 3647 format
Hi Corey,
No worries for this late feedback. I´ll try to address it anyway
1. Sorry but I don´t see that under line 1303 (I see CRL frequency) but
in any case, as said I haven´t changed anything, so if it´s something that
needs to be addressed because it´s misleading, we could do it in another
ballot. If the issue is that I changed something inadvertently, please let
me know where it is exactly because I can´t find it. I assume, in any case,
that are you referring to current section 9.2.8?
2. Yes, this ballot will be updated with the latest version derived
from SC68, so will include that change. Currently is under review period and
finishes in 2 weeks. If this SC65 is approved, it will be updated based on
that new version. The issue is that at the time of sending, you can only
work with the current version.
3. Well, I think I indicated somehow by saying
without changing any
content, just moving current sections
but it´s not as formal as your
suggestion. But in any case, there´s no normative requirement changes. No
new text has been added not any other update of the current text.
Regards
De: Corey Bonnell <Corey.Bonnell at digicert.com
<mailto:Corey.Bonnell at digicert.com> >
Enviado el: viernes, 16 de febrero de 2024 15:46
Para: Inigo Barreira <Inigo.Barreira at sectigo.com
<mailto:Inigo.Barreira at sectigo.com> >; CA/B Forum Server Certificate WG
Public Discussion List <servercert-wg at cabforum.org
<mailto:servercert-wg at cabforum.org> >
Asunto: RE: [Servercert-wg] [Discussion Period Begins]: SC65: Convert EVGs
into RFC 3647 format
Hi Inigo,
I did a cursory review of the draft ballot and have a few comments:
1. Line 1303 indicates that the values of the
CABFOrganizationIdentifier extension MUST be derived from the
OrganizationName attribute as opposed to the OrganizationIdentifier
attribute:
https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031c
d1bff3d4f35..65b69fe0ab5365a002c3d4b668d3f2ab81079411?diff=split
<https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031
cd1bff3d4f35..65b69fe0ab5365a002c3d4b668d3f2ab81079411?diff=split&w=#diff-f7
368cf58de0586cb0ad80e242205ab3272314af71f4115b99187f49521da529R1303>
&w=#diff-f7368cf58de0586cb0ad80e242205ab3272314af71f4115b99187f49521da529R13
03
2. The changes in Appendix H introduced by SC-68 (to allow EL and XI in
the VAT Registration Scheme) need to be contemplated in accordance with
Bylaws 2.4 (10). Depending on the urgency of this ballot, it might be easier
to wait until SC-68 (presumably) clears IPR and is published before
initiating voting.
3. Are there any normative requirements changes introduced in this
ballot? If there are none, it would be useful to indicate that there are no
normative requirements changes in the ballot preamble so that the intent of
the language changes is clear.
Thanks,
Corey
From: Servercert-wg <servercert-wg-bounces at cabforum.org
<mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Inigo Barreira
via Servercert-wg
Sent: Friday, February 9, 2024 8:30 AM
To: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: [Servercert-wg] [Discussion Period Begins]: SC65: Convert EVGs into
RFC 3647 format
Summary:
The Extended Validation Certificates guidelines (EVGs) were developed and
written in a specific format. Since then, the RFC 3647 has been the basis
(and the de-facto standard) for the CA/Browser Forum to develop other
documents.
This ballot aims to update the EVGs to follow the RFC 3647 format without
changing any content, just moving current sections to those defined in the
RFC 3647. This change also affects the Baseline Requirements for TSL
certificates (BRs) which needs to point to the new sections of the EVGs.
This ballot is proposed by Iñigo Barreira (Sectigo) and endorsed by Pedro
Fuentes (OISTE) and Ben Wilson (Mozilla).
--- Motion Begins ---
This ballot modifies the Baseline Requirements for the Issuance and
Management of Publicly-Trusted TLS Certificates" ("TLS Baseline
Requirements"), based on Version 2.0.2 and the Guidelines for the Issuance
and Management of Extended Validation Certificates (EVGs) based on Version
1.8.0.
MODIFY the TLS EVGs and BRs as specified in the following Redline:
<https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/compar
e/90a98dc7c1131eaab01af411968aa7330d315b9b...65b69fe0ab5365a002c3d4b668d3f2a
b81079411___.YXAzOmRpZ2ljZXJ0OmE6bzoyZmIwNGQzNmUyMGY4MzM5OTU3NWYwNDM0NzI3ZDM
wYzo2OmYxNTI6MTY2NDE3Njk1NjhmMDhkNjFiOGZmZDk3OWNiNWQwOTkwZmUwMTk3MjFjYTA3ODA
xMDAyNTExYjI0MTM2OTdiMDpoOkY> Comparing
90a98dc7c1131eaab01af411968aa7330d315b9b...65b69fe0ab5365a002c3d4b668d3f2ab8
1079411 · cabforum/servercert (github.com)
--- Motion Ends ---
This ballot proposes a Final Maintenance Guideline for the BRs and EVGs. The
procedure for approval of this ballot is as follows:
Discussion (at least 7 days)
1. Start time: 2024-02-09 14:30:00 UTC
2. End time: not before 2024-02-16 14:30:00 UTC
Vote for approval (7 days)
1. Start time: TBD
2. End time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240216/51c907d0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5231 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240216/51c907d0/attachment-0001.p7s>
More information about the Servercert-wg
mailing list