[cabfpub] Ballot 179 - Amend Section 6.1.7 of Baseline Requirements

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Oct 3 14:54:48 UTC 2016


In light of recent developments related to the CA/B Forum IPR policy 
process, I would like to suspend this ballot until these issues are 
resolved.


Best regards,
Dimitris.

On 30/9/2016 10:26 πμ, Dimitris Zacharopoulos wrote:
>
> Following the discussion around timestamping certificates and Root key 
> usage, I prepared the following ballot. Looking for two endorsers.
>
> Thank you,
> Dimitris.
>
> *Background*:
>
> Section 6.1.7 of the Baseline Requirements states that the Root CA 
> Private Keys MUST NOT be used to sign end-entity certificates, with 
> some exceptions. It is unclear if this exception list includes 
> end-entity certificates with EKU id-kp-timeStamping. This ballot 
> attempts to clarify two things:
>
>  1. that it affects Root Keys in a hierarchy that issues SSL
>     Certificates and
>  2. that it does not include time stamping certificates in the
>     exception list.
>
> It also clears the exception language for 1024-bit RSA Subscriber 
> Certificates and testing products with Certificates issued by a Root.
>
> *-- MOTION BEGINS --*
>
> /Current section 6.1.7/
>
> Root CA Private Keys MUST NOT be used to sign Certificates except in 
> the following cases:
>
>  1. Self-signed Certificates to represent the Root CA itself;
>  2. Certificates for Subordinate CAs and Cross Certificates;
>  3. Certificates for infrastructure purposes (e.g. administrative role
>     certificates, internal CA operational device certificates, and
>     OCSP Response verification Certificates);
>  4. Certificates issued solely for the purpose of testing products
>     with Certificates issued by a Root CA; and
>  5. Subscriber Certificates, provided that:
>      1. The Root CA uses a 1024-bit RSA signing key that was created
>         prior to the Effective Date;
>      2. The Applicant’s application was deployed prior to the
>         Effective Date;
>      3. The Applicant’s application is in active use by the Applicant
>         or the CA uses a documented process to establish that the
>         Certificate’s use is required by a substantial number of
>         Relying Parties;
>      4. The CA follows a documented process to determine that the
>         Applicant’s application poses no known security risks to
>         Relying Parties;
>      5. The CA documents that the Applicant’s application cannot be
>         patched or replaced without substantial economic outlay.
>      6. The CA signs the Subscriber Certificate on or before June 30,
>         2016; and
>      7. The notBefore field in the Subscriber Certificate has a date
>         on or before June 30, 2016
>
> /Proposed section 6.1.7/
>
> Private Keys corresponding to Root Certificates that participate in a 
> hierarchy that issues Certificates with an extKeyUsage extension that 
> includes the value id-kp-serverAuth [RFC5280] MUST NOT be used to sign 
> Certificates except in the following cases:
>
>  1. Self-signed Certificates to represent the Root Certificate itself;
>  2. Certificates for Subordinate CAs and Cross Certificates;
>  3. Certificates for infrastructure purposes (administrative role
>     certificates, internal CA operational device certificates)
>  4. Certificates for OCSP Response verification;
>
> /*Note:*/ After the Effective Date Feb 1st 2017, Certificates for Time 
> Stamping Authorities SHALL NOT be directly issued from these Root 
> Certificates.
>
> *-- MOTION ENDS -- *
>
> The review period for this ballot shall commence at 2200 UTC on 
> Tuesday October XX 2016, and will close at 2200 UTC on Tuesday October 
> XX 2016. Unless the motion is withdrawn during the review period, the 
> voting period will start immediately thereafter and will close at 2200 
> UTC on Tuesday October XX 2016. Votes must be cast by posting an 
> on-list reply to this thread.
>
> A vote in favor of the motion must indicate a clear 'yes' in the 
> response. A vote against must indicate a clear 'no' in the response. A 
> vote to abstain must indicate a clear 'abstain' in the response. 
> Unclear responses will not be counted. The latest vote received from 
> any representative of a voting member before the close of the voting 
> period will be counted. Voting members are listed here: 
> https://cabforum.org/members/
>
> In order for the motion to be adopted, two thirds or more of the votes 
> cast by members in the CA category and greater than 50% of the votes 
> cast by members in the browser category must be in favor. Quorum is 
> currently nine (9) members– at least nine members must participate in 
> the ballot, either by voting in favor, voting against, or abstaining.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161003/e188130e/attachment-0002.html>


More information about the Public mailing list