[Servercert-wg] Ballot SC-75 v2 - Pre-sign linting

Mon Jun 10 15:33:52 UTC 2024

On 10/6/2024 3:29 μ.μ., Martijn Katerbarg wrote:
>
> Dimitris,
>
> I’ve got a question as to the intent of the following line from 
> section 8.7:
>
> “Effective 2025-03-15, the CA SHOULD use a Linting process to verify 
> the technical accuracy of Certificates within the selected sample set.”
>
> Is the intent here that the CA should re-lint the selected sample set, 
> even if they were originally linted during the issuance process (as 
> pre-issuance, post-issuance, or both)?
>

Yes, as this may include a new version of the Linting software. Please 
let me know you have any suggested language to make this a bit more clear.

Thanks,
Dimitris.

> Regards,
>
> Martijn
>
> *From: *Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf 
> of Dimitris Zacharopoulos (HARICA) via Servercert-wg 
> <servercert-wg at cabforum.org>
> *Date: *Monday, 10 June 2024 at 12:36
> *To: *CA/B Forum Server Certificate WG Public Discussion List 
> <servercert-wg at cabforum.org>
> *Subject: *[Servercert-wg] Ballot SC-75 v2 - Pre-sign linting
>
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
>
>   SC-75 v2 Pre-sign linting
>
>
>     Summary
>
> There have been numerous compliance incidents publicly disclosed by 
> CAs in which they failed to comply with the technical requirements 
> described in standards associated with the issuance and management of 
> publicly-trusted TLS Certificates. However, the industry has developed 
> open-source tools, linters, that are free to use and can help CAs 
> avoid certificate misissuance. Using such linters before issuing a 
> precertificate from a Publicly-Trusted CA (pre-issuance linting) can 
> prevent the mis-issuance in a wide variety of cases.
>
> The following motion has been proposed by Dimitris Zacharopoulos of 
> HARICA and endorsed by Corey Bonnell of Digicert and Ben Wilson of 
> Mozilla.
>
> You can view the GitHub pull request representing this ballot here 
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fpull%2F518&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C4f08a6cb46f94d8303be08dc89393e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638536126159182982%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=8UNBMOzqoiWCRqa8mSWP97aUBmMeLVPtDLBQ7qNYJuU%3D&reserved=0>. 
>
>
>
>     Motion Begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted TLS Server Certificates" based on Version 2.0.5 as 
> specified in the following redline:
>
>   * https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...cc88926a3dee348a364542e5e259e9c7cab1f747
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2F20af1b271f2b689344ae353d3e78dc6b772199db...cc88926a3dee348a364542e5e259e9c7cab1f747&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C4f08a6cb46f94d8303be08dc89393e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638536126159193852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=evt9RYpYgB3cPSc9gj3A9AakPW04Ivyf%2FobDHIeU4CE%3D&reserved=0>
>
>
>     Motion Ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for 
> approval of this ballot is as follows:
>
>
>         Discussion (at least 7 days)
>
>   * Start time: 2024-06-10 10:00:00 UTC
>   * End time: on or after 2024-06-17 10:00:00 UTC
>
>
>         Vote for approval (7 days)
>
>   * Start time: TBD
>   * End time: TBD
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240610/9a5da3e2/attachment.html>