[Servercert-wg] [EXTERNAL]-Re: Ballot SC-75 v2 - Pre-sign linting

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Jun 12 06:32:34 UTC 2024 


On 11/6/2024 10:04 μ.μ., Pedro FUENTES wrote:
> I still think that the section “CAs are encouraged to contribute to 
> open-source Linting projects, such as by:” is a bit out of place in 
> the BR.
>
> It’s not that I’m against, not at all, it’s a good thing and we 
> totally fine with this expectation, but I think such “encouragement” 
> is not matching the rest of the language of the BR. I would see this 
> more fit in a Root Program Policy...
>
> In fact, the only other place where “encouragement” is used is in 
> section 8 (“We encourage all CAs to conform to each revision herein on 
> the date specified without awaiting a corresponding update to an 
> applicable audit criterion.”), that is, INHO, even incorrectly worded, 
> as that requirement is a MUST in my understanding.

Thanks Pedro,

As there are no strong objections, I will proceed with the 
"encouragement" language as-is. We are trying to move as many of the 
Root Program requirements/suggestions/good practices into the BRs so CAs 
have a central point of reference and less "deltas" with Root Store 
Programs to process.

Dimitris.


>
>
>
>> On 11 Jun 2024, at 19:37, Dimitris Zacharopoulos (HARICA) via 
>> Servercert-wg <servercert-wg at cabforum.org> wrote:
>>
>>
>>
>> On 11/6/2024 7:58 μ.μ., Tom Zermeno wrote:
>>> Dimitris,
>>> The text is missing a pipe ( | ) between lines 173 and 174.  This 
>>> may throw the table out of alignment.
>>
>> Thanks Tom, fixed.
>>
>> Dimitris.
>>
>>> -Tom
>>> SSL.com <http://ssl.com/>
>>> *From:*Servercert-wg<servercert-wg-bounces at cabforum.org>*On Behalf 
>>> Of*Dimitris Zacharopoulos (HARICA) via Servercert-wg
>>> *Sent:*Monday, June 10, 2024 5:37 AM
>>> *To:*CA/B Forum Server Certificate WG Public Discussion 
>>> List<servercert-wg at cabforum.org>
>>> *Subject:*[Servercert-wg] Ballot SC-75 v2 - Pre-sign linting
>>>
>>>
>>>   SC-75 v2 Pre-sign linting
>>>
>>>
>>>     Summary
>>>
>>> There have been numerous compliance incidents publicly disclosed by 
>>> CAs in which they failed to comply with the technical requirements 
>>> described in standards associated with the issuance and management 
>>> of publicly-trusted TLS Certificates. However, the industry has 
>>> developed open-source tools, linters, that are free to use and can 
>>> help CAs avoid certificate misissuance. Using such linters before 
>>> issuing a precertificate from a Publicly-Trusted CA (pre-issuance 
>>> linting) can prevent the mis-issuance in a wide variety of cases.
>>>
>>> The following motion has been proposed by Dimitris Zacharopoulos of 
>>> HARICA and endorsed by Corey Bonnell of Digicert and Ben Wilson of 
>>> Mozilla.
>>>
>>> You can view the GitHub pull request representing this ballothere 
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_pull_518&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=4BFaaYjhT0zumWOPC3fHz7vP0OGnFZ5Q1N0vU-ujxeN-NptvXPWJbjrjWt9XFpYY&s=2r6kssOrsqDddE_2t4ASf20FZYlg0rBM5zb_JSZ0a8I&e=>. 
>>>
>>>
>>>
>>>     Motion Begins
>>>
>>> MODIFY the "Baseline Requirements for the Issuance and Management of 
>>> Publicly-Trusted TLS Server Certificates" based on Version 2.0.5 as 
>>> specified in the following redline:
>>>
>>>   * https://github.com/cabforum/servercert/compare/20af1b271f2b689344ae353d3e78dc6b772199db...cc88926a3dee348a364542e5e259e9c7cab1f747
>>>
>>>
>>>     Motion Ends
>>>
>>> This ballot proposes a Final Maintenance Guideline. The procedure 
>>> for approval of this ballot is as follows:
>>>
>>>
>>>         Discussion (at least 7 days)
>>>
>>>   * Start time: 2024-06-10 10:00:00 UTC
>>>   * End time: on or after 2024-06-17 10:00:00 UTC
>>>
>>>
>>>         Vote for approval (7 days)
>>>
>>>   * Start time: TBD
>>>   * End time: TBD
>>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=4BFaaYjhT0zumWOPC3fHz7vP0OGnFZ5Q1N0vU-ujxeN-NptvXPWJbjrjWt9XFpYY&s=C91En_vfW_xLrj3Zt-Z_Lp5_ppUbEKQ-eBcODPAW4B4&e= 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=4BFaaYjhT0zumWOPC3fHz7vP0OGnFZ5Q1N0vU-ujxeN-NptvXPWJbjrjWt9XFpYY&s=C91En_vfW_xLrj3Zt-Z_Lp5_ppUbEKQ-eBcODPAW4B4&e=>
>
> *
> WISeKey SA
> *
> *Pedro Fuentes
> *CSO - Trust Services Manager
> Office: + 41 (0) 22 594 30 00
> Mobile: + 41 (0) 791 274 790
> Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland
> *Stay connected with WISeKey <http://www.wisekey.com>
> *
> *THIS IS A TRUSTED MAIL*: This message is digitally signed with a 
> WISeKey identity. If you get a mail from WISeKey please check 
> the signature to avoid security risks
>
> *CONFIDENTIALITY: *This email and any files transmitted with it can be 
> confidential and it’s intended solely for the use of the individual or 
> entity to which they are addressed. If you are not the named addressee 
> you should not disseminate, distribute or copy this e-mail. If 
> you have received this email in error please notify the sender
>
> *DISCLAIMER: *WISeKey does not warrant the accuracy or completeness of 
> this message and does not accept any liability for any errors or 
> omissions herein as this message has been transmitted over a public 
> network. Internet communications cannot be guaranteed to be secure or 
> error-free as information may be intercepted, corrupted, or contain 
> viruses. Attachments to this e-mail are checked for viruses; 
> however, we do not accept any liability for any damage sustained by 
> viruses and therefore you are kindly requested to check for viruses 
> upon receipt.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240612/0a087af8/attachment-0001.html>

More information about the Servercert-wg mailing list