[Servercert-wg] [EXTERNAL] Re: [Discussion Period Begins]: SC-72 - Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED

Paul van Brouwershaven Paul.vanBrouwershaven at entrust.com
Fri Mar 15 16:09:03 UTC 2024

Hi Clint,

If the BRs specified MAY and the EVGs MUST you can put it in both and thus have profile alignment. After this changed from MAY to NOT RECOMMENDED we end up with a conflicting requirement, while allowed, its expected that CAs adhere to a NOT RECOMMENDED unless they have a good reason to do so.

While it's possible to implement two different policies this does creates a clear misalignment.


From: Clint Wilson
Sent: Friday, March 15, 2024 17:00
To: Paul van Brouwershaven; ServerCert CA/BF
Subject: [EXTERNAL] Re: [Servercert-wg] [Discussion Period Begins]: SC-72 - Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED


Could the ballot author and endorsers please provide some additional explanation and context surrounding this ballot? As far as I can recall, this topic hasn’t been discussed since SC-062, so it’s rather coming out of nowhere as a ballot proposal (which is, of course, totally fine, but also still abrupt/confusing). Why is this difference between the TBRs and the EVGs necessary/valuable for the WG to address at the moment?

You indicate that this is a discrepancy introduced by Ballot SC-062, but I don’t see how that’s the case. Before SC-062, the TBRs specified policyQualifiers as Optional and after as NOT RECOMMENDED. Neither of these match the MUST present in the EVGs and both of these are compatible/non-conflicting with the MUST present in the EVGs.


On Mar 15, 2024, at 3:01 AM, Paul van Brouwershaven via Servercert-wg <servercert-wg at cabforum.org> wrote:

This ballot updates the TLS Extended Validation Guidelines (EVGs) by removing the exceptions to policyQualifiers​ in section 9.7, to align them with the Baseline Requirements (BRs).As result, this ballot changes policyQualifiers​ from MUST​ to NOT RECOMMENDED​ as stated in the TLS Baseline Requirements, resolving a discrepancy introduced byBallot SC-62v2<https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/> between section Subscriber Certificate Policies<https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71279-subscriber-certificate-certificate-policies> of the BRs and the Additional Technical Requirements for EV Certificates<https://cabforum.org/working-groups/server/extended-validation/guidelines/#97-additional-technical-requirements-for-ev-certificates> in the EVGs.

The following motion has been proposed by Paul van Brouwershaven (Entrust) and endorsed by Dimitris Zacharopoulos (HARICA) and Iñigo Barreira (Sectigo).

You can view and comment on the GitHub pull request representing this ballot here:https://github.com/cabforum/servercert/pull/490

--- Motion Begins ---

This ballot modifies the “Guidelines for the Issuance and Management of Extended Validation Certificates” (“EV Guidelines”) as follows, based on version 1.8.1:

MODIFY the Extended Validation Guidelines as specified in the following redline: https://github.com/cabforum/servercert/compare/8e7fc7d5cac0cc27c44fe2aa88cf45f5606f4b94...7b9bb1dbfd41b1d0459b8a985ed629ad841ce122

--- Motion Ends ---

Discussion (at least 7 days):
- Start: 2024-03-15 10:00 UTC
- End no earlier than 2024-03-22 10:00 UTC

Vote for approval (7 days):
- Start: TBD
- End: TBD

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240315/bef8728a/attachment-0001.html>

More information about the Servercert-wg mailing list