Conversation
* Add files via upload * EVG.md * Update EVG.md * Create EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Delete EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG to match section 6 of the RFC 3647.md Updated section 1.1 from scope to overview Added section 3.2.1 for the possesion of the private key Changed totally/created new section 3.2.2 to cover all section 11 Moved section 8.1 to section 8 and renamed the others to meet RFC3647 Added the self-audits (8.1.1) under section 8.1 Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647 * Update EVG updating links.md 2 links were updated regarding section 8 * Update EVG.md Another link updated from 3.2.14.1 to 3.2.2.14.1 * Update branch for BRs pointing to new sections of EVGs (#476) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <[email protected]> * Integrate newer ballots (#406) * Update README (#294) Co-authored-by: Jos Purvis <[email protected]> * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos <[email protected]> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos <[email protected]> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <[email protected]> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <[email protected]> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> * Update version and date table Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <[email protected]> * Update version, table, and date Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <[email protected]> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <[email protected]> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <[email protected]> * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <[email protected]> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Integrate SC-48 CN requirements Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - #402 (comment) (added "CRL") - #414 (comment) (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to #414 (comment)) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <[email protected]> * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <[email protected]> * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <[email protected]> * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <[email protected]> * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Update BR.md --------- Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Fall 2023 clean up (#460) * Issue#169 Issue #169 - updated 3.2.2.5.6 and 3.2.2.5.7 - added RFC 8738 in References * Issue #174 Issue #174 - Updated title in section 3.2.2.4.10 - Updated section 3.2.2.4.18 * Issue #337 Issue #337 - Updated title of the document to include TLS Server And also: - updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name * Issue #423 Issue #423 Updated section 1.6.3 - removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada - removing version of the NetSec and changing the link to redirect to the NetSec documents * Issue #430 Issue #430 Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse" * Issue #444 Issue #444 Added empty section 7.1.5 * Issue #450 Issue #450 Updated including link to the 6.2.7 section * Issue #453 Issue #453 Updated section as indicated * PR #415 PR #415 Updated title * Update BR.md Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order * Update BR.md Updated version and changelog * Issue #461 Issue #461 Used 2 option for the update * Update docs/BR.md Co-authored-by: Corey Bonnell <[email protected]> * Add line breaks in 7.1.2.11.2 According to #462 * Revert the change of the NSSR version Put back the version 1.7 in the NetSec * Update BR.md --------- Co-authored-by: Corey Bonnell <[email protected]> --------- Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Update BRs with the new EVGs section numbers.md Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following: Section 3.2.2.4.7 EVG 11.14.3 to new 3.2.2.14.3 Section 7.1.2.7.5 EVG 9.2 to new 7.1.4.2 * Update EVG.md Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8 --------- Co-authored-by: Martijn Katerbarg <[email protected]> Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]>
Update of the TLS BRs with updated pointers to the new EVG sections
Changed version and date of the EVGs and added the correspondent ballot number
slghtr-says
added a commit
to slghtr-says/servercert
that referenced
this pull request
Sep 27, 2024
* SC65: Convert EVGs into RFC 3647 format v2 (cabforum#440) (cabforum#493) * SC65: Convert EVGs into RFC 3647 format v2 (cabforum#440) * Add files via upload * EVG.md * Update EVG.md * Create EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Delete EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG to match section 6 of the RFC 3647.md Updated section 1.1 from scope to overview Added section 3.2.1 for the possesion of the private key Changed totally/created new section 3.2.2 to cover all section 11 Moved section 8.1 to section 8 and renamed the others to meet RFC3647 Added the self-audits (8.1.1) under section 8.1 Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647 * Update EVG updating links.md 2 links were updated regarding section 8 * Update EVG.md Another link updated from 3.2.14.1 to 3.2.2.14.1 * Update branch for BRs pointing to new sections of EVGs (cabforum#476) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (cabforum#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (cabforum#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (cabforum#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <[email protected]> * Integrate newer ballots (cabforum#406) * Update README (cabforum#294) Co-authored-by: Jos Purvis <[email protected]> * Adjust the workflow file to build the actions (cabforum#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (cabforum#282) (cabforum#290) * SC47 Sunset subject:organizationalUnitName (cabforum#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * SC47 datefix (cabforum#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> * SC48 - Domain Name and IP Address Encoding (cabforum#285) (cabforum#302) * SC48 - Domain Name and IP Address Encoding (cabforum#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos <[email protected]> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (cabforum#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos <[email protected]> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Ballot SC50 - Remove the requirements of 4.1.1 (cabforum#328) * SC50 - Remove the requirements of 4.1.1 (cabforum#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <[email protected]> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <[email protected]> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> * Update version and date table Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Ballot SC53: Sunset SHA-1 for OCSP signing (cabforum#330) (cabforum#338) * Sunset SHA-1 for OCSP signing (cabforum#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <[email protected]> * Update version, table, and date Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Bump actions/checkout from 2 to 3 (cabforum#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (cabforum#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (cabforum#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <[email protected]> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <[email protected]> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Ballot SC54: Onion Cleanup (cabforum#369) * SC-54: Onion cleanup (cabforum#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses cabforum#240. Things are signed using private, not public keys. * Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <[email protected]> * SC-54: Onion cleanup (cabforum#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses cabforum#240. Things are signed using private, not public keys. * Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <[email protected]> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos Purvis <[email protected]> * Integrate SC-48 CN requirements Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - cabforum#402 (comment) (added "CRL") - cabforum#414 (comment) (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to cabforum#414 (comment)) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <[email protected]> * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <[email protected]> * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <[email protected]> * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <[email protected]> * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Update BR.md --------- Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Fall 2023 clean up (cabforum#460) * Issue#169 Issue cabforum#169 - updated 3.2.2.5.6 and 3.2.2.5.7 - added RFC 8738 in References * Issue cabforum#174 Issue cabforum#174 - Updated title in section 3.2.2.4.10 - Updated section 3.2.2.4.18 * Issue cabforum#337 Issue cabforum#337 - Updated title of the document to include TLS Server And also: - updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name * Issue cabforum#423 Issue cabforum#423 Updated section 1.6.3 - removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada - removing version of the NetSec and changing the link to redirect to the NetSec documents * Issue cabforum#430 Issue cabforum#430 Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse" * Issue cabforum#444 Issue cabforum#444 Added empty section 7.1.5 * Issue cabforum#450 Issue cabforum#450 Updated including link to the 6.2.7 section * Issue cabforum#453 Issue cabforum#453 Updated section as indicated * PR cabforum#415 PR cabforum#415 Updated title * Update BR.md Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order * Update BR.md Updated version and changelog * Issue cabforum#461 Issue cabforum#461 Used 2 option for the update * Update docs/BR.md Co-authored-by: Corey Bonnell <[email protected]> * Add line breaks in 7.1.2.11.2 According to cabforum#462 * Revert the change of the NSSR version Put back the version 1.7 in the NetSec * Update BR.md --------- Co-authored-by: Corey Bonnell <[email protected]> --------- Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Update BRs with the new EVGs section numbers.md Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following: Section 3.2.2.4.7 EVG 11.14.3 to new 3.2.2.14.3 Section 7.1.2.7.5 EVG 9.2 to new 7.1.4.2 * Update EVG.md Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8 --------- Co-authored-by: Martijn Katerbarg <[email protected]> Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Update EVG.md * Update BR.md Update of the TLS BRs with updated pointers to the new EVG sections * Update EVG.md Changed version and date of the EVGs and added the correspondent ballot number --------- Co-authored-by: Martijn Katerbarg <[email protected]> Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> * Update EVG.md (cabforum#511) Update EVGs as per SC72 over the new 2.0.0 version * Ballot SC-073: Compromised and Weak Keys (cabforum#500) (cabforum#509) * Ballot SC-073: Compromised and Weak Keys (cabforum#500) * Draft SC-073 language * Fix link * Update BR.md Updated version, date and revisions --------- Co-authored-by: Wayne Thayer <[email protected]> * Auto-comment on new issues stating which TLS BR and EVG versions were active at the time (cabforum#521) * Ballot SC-75 - Pre-sign linting (cabforum#527) * Ballot SC-75 - Pre-sign linting (cabforum#518) * Define "Linting" and relevant language in 4.3.1.2. * Addresses cabforum#518 (comment) * Addressing comments of the email thread https://lists.cabforum.org/pipermail/servercert-wg/2024-May/004603.html up to 2024-06-05. * Delete duplicate text * Update to-be-issued with to-be-signed for consistency * Fix based on cabforum@ff98db7#r142754475 * Second fix based on cabforum@ff98db7#r142754475 * Language improvements * Language improvements * Fix capital first letter Co-authored-by: Corey Bonnell <[email protected]> * Fix capital first letter Co-authored-by: Corey Bonnell <[email protected]> * fix capitalization Co-authored-by: Corey Bonnell <[email protected]> * Moving to a more appropriate section based on cabforum#518 (comment) * Moving to a more appropriate section based on cabforum#518 (comment) * Adding suggestion for CAs to report inaccurate linting results in open-source linting projects. * Language improvements * Improved language for the need of Linting Co-authored-by: Rob Stradling <[email protected]> * Remove double space * Improve language * Clarify language for linting during self-audits Co-authored-by: Martijn Katerbarg <[email protected]> * Fix typo * Small language improvement * Fix table formatting * Fix table formatting --------- Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Rob Stradling <[email protected]> Co-authored-by: Martijn Katerbarg <[email protected]> * Update BR.md changed version and dates as per SC75 --------- Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Rob Stradling <[email protected]> Co-authored-by: Martijn Katerbarg <[email protected]> * Update BR.md (cabforum#517) (cabforum#537) * Update BR.md (cabforum#517) Co-authored-by: Iñigo Barreira <[email protected]> * Update BR as per SC67.md Changed version number and add date --------- Co-authored-by: Chris Clements <[email protected]> --------- Co-authored-by: Iñigo Barreira <[email protected]> Co-authored-by: Martijn Katerbarg <[email protected]> Co-authored-by: Ryan Dickson <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Corey Bonnell <[email protected]> Co-authored-by: Jos <[email protected]> Co-authored-by: Jos Purvis <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Paul van Brouwershaven <[email protected]> Co-authored-by: Ryan Sleevi <[email protected]> Co-authored-by: Wayne Thayer <[email protected]> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <[email protected]> Co-authored-by: Dimitris Zacharopoulos <[email protected]> Co-authored-by: Aaron Gable <[email protected]> Co-authored-by: Rob Stradling <[email protected]> Co-authored-by: Chris Clements <[email protected]>
bluluvinn
approved these changes
Mar 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add files via upload
EVG.md
Update EVG.md
Create EVG original
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Delete EVG original
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG.md
Update EVG to match section 6 of the RFC 3647.md
Updated section 1.1 from scope to overview
Added section 3.2.1 for the possesion of the private key Changed totally/created new section 3.2.2 to cover all section 11 Moved section 8.1 to section 8 and renamed the others to meet RFC3647 Added the self-audits (8.1.1) under section 8.1
Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647
2 links were updated regarding section 8
Another link updated from 3.2.14.1 to 3.2.2.14.1
Update branch for BRs pointing to new sections of EVGs (Update branch for BRs pointing to new sections of EVGs #476)
Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… #441)
Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates #414)
Profiles WIP
Clarify AIA based on 2021-06-12 call
AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod.
Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate.
This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted.
Fix the certificatePolicies mismatched highlighted by Corey
Change SHOULD NOT to NOT RECOMMENDED
While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors.
By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs.
See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion.
This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id)
Formatting fix
Move the Non-TLS EKU requirement into the Non-TLS profile
Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile.
This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections.
The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs.
This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY.
However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA.
This does remove an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change.
This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV).
This also corrects the organizationalUnit name to reflect SC47v2.
This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text.
For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant.
This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity:
Relaxations:
Clarifications:
Minor fixes and cleanups (Minor fixes and cleanups #399)
Add order and encoding requirement for DC attribute
Remove overly specific Cross-cert requirement; fix serialNumber encoding
Clarify NC exclusion
Remove "Domain Name or IP Address" validation requirement for now
Integrate newer ballots (Integrate newer ballots #406)
Update README (Update README #294)
Adjust the workflow file to build the actions (Adjust the workflow file to build the actions #296)
This addresses a few requests that recently came up from the certificate profiles work:
SC47 Sunset subject:organizationalUnitName (SC47 Sunset subject:organizationalUnitName #282) (SC47 Sunset subject:organizationalUnitName (#282) #290)
SC47 Sunset subject:organizationalUnitName (SC47 Sunset subject:organizationalUnitName #282)
Deprecation of subject:organizationalUnitName
Update language to avoid confusion on the effective date
This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.
SC47 datefix (SC47 datefix #298)
Update dates table
Update EVG.md
Add SC47 reference to relevant dates table
Fixup section number in prior commit
SC48 - Domain Name and IP Address Encoding (SC48 - Domain Name and IP Address Encoding #285) (SC48 - Domain Name and IP Address Encoding (#285) #302)
SC48 - Domain Name and IP Address Encoding (SC48 - Domain Name and IP Address Encoding #285)
First pass
Add more RFC references, some wordsmithing
Another few fixes
Switch to use "LDH Labels"
Propose concrete effective date
Clarification about root zone trailing dot
Replace "label" with "Domain Label" throughout (Create Bylaws.v.1.2 #1)
Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout
Fix double negative
Fix redundant "if the"
Wrap xn-- to prevent ligaturization
SC48 - Domain Name and IP Address Encoding (SC48 - Domain Name and IP Address Encoding #285)
First pass
Add more RFC references, some wordsmithing
Another few fixes
Switch to use "LDH Labels"
Propose concrete effective date
Clarification about root zone trailing dot
Replace "label" with "Domain Label" throughout (Create Bylaws.v.1.2 #1)
Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout
Fix double negative
Fix redundant "if the"
Wrap xn-- to prevent ligaturization
Update dates and version numbers
Ballot SC50 - Remove the requirements of 4.1.1 (Ballot SC50 - Remove the requirements of 4.1.1 #328)
SC50 - Remove the requirements of 4.1.1 (SC50 - Remove the requirements of 4.1.1 #323)
Bump cairosvg from 1.0.20 to 2.5.1
Bumps cairosvg from 1.0.20 to 2.5.1.
Bumps kramdown from 2.3.0 to 2.3.1.
Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys
Rebase based on upstream/main
Move System requirement to 6.1.1.3
Add 4.1.1 as blank
Remove capitalization from 6.1.1.3 where terms are not defined
Re-add 'No stipulation.' to 4.1.1
Remove change to 6.1.1.3
Update version and date table
Ballot SC53: Sunset SHA-1 for OCSP signing (Sunset SHA-1 for OCSP signing #330) (Ballot SC53: Sunset SHA-1 for OCSP signing (#330) #338)
Sunset SHA-1 for OCSP signing (Sunset SHA-1 for OCSP signing #330)
Sunset SHA-1 OCSP signing
Clarify necessity of both items
Standardize date format, fix year in effective date table
Update version, table, and date
Bump actions/checkout from 2 to 3 (Bump actions/checkout from 2 to 3 #342)
Bumps actions/checkout from 2 to 3.
updated-dependencies:
Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements #347)
Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements #336)
Bump cairosvg from 1.0.20 to 2.5.1
Bumps cairosvg from 1.0.20 to 2.5.1.
Bumps kramdown from 2.3.0 to 2.3.1.
Restructure parts of 5.4.x and 5.5.x
Use 'events' consistently in 5.4.1
Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.
Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs
Remove WIP title;
re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.
Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period
Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.
The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.
Update effective date and version number
Update ballot table in document
Fix date string
Ballot SC54: Onion Cleanup (Ballot SC54: Onion Cleanup #369)
SC-54: Onion cleanup (SC-54: Onion cleanup #348)
The voting on ballot SC54 has completed, and the ballot has passed.
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes
0 Abstentions
Bylaw Requirements
· A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
· At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.
——
Addresses BRs: Permit 3.2.2.4.20 for onion domains? #270 allowing method 3.2.2.4.20 for
.oniondomains.Addresses BRs: Clarify the CAA requirements for CAA and .onion addresses #242 creating an exception for
.oniondomains, using existing language from the opening section of 3.2.2.4.Addresses BRs: Appendix B.2 refers to 3.2.2.4.6 rather than 3.2.2.4.18/.19 #241 removing the currently deprecated Domain validation method 3.2.2.4.6.
Addresses BRs: Fix language in APPENDIX B #240. Things are signed using private, not public keys.
Addresses EV Guidelines: Don't require the Tor Service Descriptor Hash for v3 onion names #190, EV Guidelines: Clarify that v2 .onion names need to be well formed #191. According to EV Guidelines: Clarify that v2 .onion names need to be well formed #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.
This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to confirm entropy.
Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).
remove double space
Remove EVG Appendix F, introduce Onion Domain Name term
A few more minor tweaks
Fix numbering
Update for easier read.
Revert "Update for easier read."
This reverts commit 1bac785.
The voting on ballot SC54 has completed, and the ballot has passed.
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes
0 Abstentions
Bylaw Requirements
· A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
· At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.
——
Addresses BRs: Permit 3.2.2.4.20 for onion domains? #270 allowing method 3.2.2.4.20 for
.oniondomains.Addresses BRs: Clarify the CAA requirements for CAA and .onion addresses #242 creating an exception for
.oniondomains, using existing language from the opening section of 3.2.2.4.Addresses BRs: Appendix B.2 refers to 3.2.2.4.6 rather than 3.2.2.4.18/.19 #241 removing the currently deprecated Domain validation method 3.2.2.4.6.
Addresses BRs: Fix language in APPENDIX B #240. Things are signed using private, not public keys.
Addresses EV Guidelines: Don't require the Tor Service Descriptor Hash for v3 onion names #190, EV Guidelines: Clarify that v2 .onion names need to be well formed #191. According to EV Guidelines: Clarify that v2 .onion names need to be well formed #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.
This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to confirm entropy.
Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).
remove double space
Remove EVG Appendix F, introduce Onion Domain Name term
A few more minor tweaks
Fix numbering
Update for easier read.
Revert "Update for easier read."
This reverts commit 1bac785.
Update version numbers and dates
Integrate SC-48 CN requirements
Update BR.md
Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023).
Address Comments:
Inadvertent numbering change.
Add consideration for a phased reduction of short-lived subscriber certificate validity.
(in response to #414 (comment))
Cleaning-up proposal in advance of discussion.
[clean-up diff, this file was not intentionally modified in the PR]
[clean-up]
[cleanup]
Update BR.md
Update BR.md
Update BR.md
begin integrating SC-61 language.
integrate sc61
Update BR.md
continue tweaking to include sc61
improve readability
Update BR.md
Update BR.md
Update BR.md
Update BR.md
correct spelling error
Update BR.md
Update BR.md
typo
Update BR.md
Update BR.md
Update BR.md
Improve specificity of CRL issuance frequency
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Typo (thanks, Wendy!)
Editorial
Editorial
Update BR.md
Update BR.md
Update BR.md
Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days."
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update docs/BR.md
Update docs/BR.md
Update BR.md
"twenty four" -> "twenty-four"
Update BR.md
Add provision to handle nonces per RFC8954
Update BR.md
Improve readability.
Update BR.md
Update BR.md
Update BR.md
CAs issuing CA certificates should publish a new CRL if any certificate is revoked, not just CA certificates.
This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise).
Address comment from Rob
Clean up language
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Update BR.md
Address formatting nits
Address table formatting nits.
Remove redundant language re: nextUpdate
Clarify use of "unspecified" CRL Reason Code
Clarify IDP
(Further) Clarify IDP
Update BR.md
Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly.
Nits.
Fall 2023 clean up (Fall 2023 clean up #460)
Issue#169
Issue #169
Issue #174
Issue #337
Issue #423
Updated section 1.6.3
Issue #430
Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse"
Issue #444
Added empty section 7.1.5
Issue #450
Updated including link to the 6.2.7 section
Issue #453
Updated section as indicated
PR #415
Updated title
Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order
Updated version and changelog
Issue #461
Used 2 option for the update
Update docs/BR.md
Add line breaks in 7.1.2.11.2
According to #462
Put back the version 1.7 in the NetSec
Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following: Section 3.2.2.4.7
EVG 11.14.3 to new 3.2.2.14.3
Section 7.1.2.7.5
EVG 9.2 to new 7.1.4.2
Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8