[Servercert-wg] Ballot SC-75 v2 - Pre-sign linting

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Jun 10 15:55:35 UTC 2024



On 10/6/2024 6:45 μ.μ., Martijn Katerbarg wrote:
>
> Thanks. I’ve added a suggestion onto the PR to hopefully make this 
> clearer.
>
> I also added a linebreak, so as to hopefully indicate to CAs that 
> linting alone during the self-audit is not enough to satisfy the 
> self-audit requirements.
>

Perfect, thank you Martijn!

I also received some suggested language from Corey and will wait one 
more day before incorporating those to the ballot and restart the 
discussion period with a v3.


Thanks,
Dimitris.


> *From: *Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
> *Date: *Monday, 10 June 2024 at 17:34
> *To: *Martijn Katerbarg <martijn.katerbarg at sectigo.com>, CA/B Forum 
> Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject: *Re: [Servercert-wg] Ballot SC-75 v2 - Pre-sign linting
>
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
> On 10/6/2024 3:29 μ.μ., Martijn Katerbarg wrote:
>
>     Dimitris,
>
>     I’ve got a question as to the intent of the following line from
>     section 8.7:
>
>     “Effective 2025-03-15, the CA SHOULD use a Linting process to
>     verify the technical accuracy of Certificates within the selected
>     sample set.”
>
>     Is the intent here that the CA should re-lint the selected sample
>     set, even if they were originally linted during the issuance
>     process (as pre-issuance, post-issuance, or both)?
>
>
> Yes, as this may include a new version of the Linting software. Please 
> let me know you have any suggested language to make this a bit more clear.
>
>
> Thanks,
> Dimitris.
>
>
>     Regards,
>
>     Martijn
>
>     *From: *Servercert-wg <servercert-wg-bounces at cabforum.org>
>     <mailto:servercert-wg-bounces at cabforum.org> on behalf of Dimitris
>     Zacharopoulos (HARICA) via Servercert-wg
>     <servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org>
>     *Date: *Monday, 10 June 2024 at 12:36
>     *To: *CA/B Forum Server Certificate WG Public Discussion List
>     <servercert-wg at cabforum.org> <mailto:servercert-wg at cabforum.org>
>     *Subject: *[Servercert-wg] Ballot SC-75 v2 - Pre-sign linting
>
>     CAUTION: This email originated from outside of the organization.
>     Do not click links or open attachments unless you recognize the
>     sender and know the content is safe.
>
>
>       SC-75 v2 Pre-sign linting
>
>
>         Summary
>
>     There have been numerous compliance incidents publicly disclosed
>     by CAs in which they failed to comply with the technical
>     requirements described in standards associated with the issuance
>     and management of publicly-trusted TLS Certificates. However, the
>     industry has developed open-source tools, linters, that are free
>     to use and can help CAs avoid certificate misissuance. Using such
>     linters before issuing a precertificate from a Publicly-Trusted CA
>     (pre-issuance linting) can prevent the mis-issuance in a wide
>     variety of cases.
>
>     The following motion has been proposed by Dimitris Zacharopoulos
>     of HARICA and endorsed by Corey Bonnell of Digicert and Ben Wilson
>     of Mozilla.
>
>     You can view the GitHub pull request representing this ballot here
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fpull%2F518&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C7c0abb3a92ab40cdece708dc8962c3b7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638536304511774997%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=EnKzpp7LeHvFkCrPvp4yO6L5wyOaesGa3tWnoNsf0Jo%3D&reserved=0>.
>
>
>
>         Motion Begins
>
>     MODIFY the "Baseline Requirements for the Issuance and Management
>     of Publicly-Trusted TLS Server Certificates" based on Version
>     2.0.5 as specified in the following redline:
>
>       * https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...cc88926a3dee348a364542e5e259e9c7cab1f747
>         <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2F20af1b271f2b689344ae353d3e78dc6b772199db...cc88926a3dee348a364542e5e259e9c7cab1f747&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C7c0abb3a92ab40cdece708dc8962c3b7%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638536304511788339%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3XfLt%2BuVtEivICDoYSCYOQUmabI6yzmR2PqzKX5CXlk%3D&reserved=0>
>
>
>         Motion Ends
>
>     This ballot proposes a Final Maintenance Guideline. The procedure
>     for approval of this ballot is as follows:
>
>
>             Discussion (at least 7 days)
>
>       * Start time: 2024-06-10 10:00:00 UTC
>       * End time: on or after 2024-06-17 10:00:00 UTC
>
>
>             Vote for approval (7 days)
>
>       * Start time: TBD
>       * End time: TBD
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240610/e5b1049f/attachment.html>


More information about the Servercert-wg mailing list