[cabfpub] Ballot 189 (revised) - Amend Section 6.1.7 of Baseline Requirements

Moudrick M. Dadashov md at ssc.lt
Wed Apr 12 22:28:18 UTC 2017


SSC votes: "Yes".

Thanks,
M.D.

On 4/12/2017 7:33 PM, Arno Fiedler via Public wrote:
>
> D-TRUST votes "yes"
> Arno
>>
>> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of 
>> *Dimitris Zacharopoulos via Public
>> *Sent:* Wednesday, April 5, 2017 1:47 AM
>> *To:* public at cabforum.org <mailto:public at cabforum.org>
>> *Cc:* Dimitris Zacharopoulos <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>>
>> *Subject:* [cabfpub] Ballot 189 (revised) - Amend Section 6.1.7 of 
>> Baseline Requirements
>>
>>
>> After the recent discussion, the ballot is now updated with simpler 
>> language. Voting starts tomorrow April 6th.
>>
>> Dimitris.
>>
>> *Ballot 189 - Amend Section 6.1.7 of Baseline Requirements*
>>
>> The following motion has been proposed by Dimitris Zacharopoulos of 
>> HARICA and endorsed by Bruce Morton of Entrust and Jeremy Rowley of 
>> Digicert
>>
>> *Background*:
>>
>> Section 6.1.7 of the Baseline Requirements states that the Root CA 
>> Private Keys MUST NOT be used to sign end-entity certificates, with 
>> some exceptions. It is unclear if this exception list includes 
>> end-entity certificates with EKU id-kp-timeStamping. This ballot 
>> attempts to clarify two things:
>>
>>  1. that it affects Root Keys in a hierarchy that issues SSL
>>     Certificates and
>>  2. that it does not include time stamping certificates in the
>>     exception list.
>>
>> It also clears the exception language for 1024-bit RSA Subscriber 
>> Certificates and testing products with Certificates issued by a Root.
>>
>> *-- MOTION BEGINS --*
>>
>> /Current section 6.1.7/
>>
>> Root CA Private Keys MUST NOT be used to sign Certificates except in 
>> the following cases:
>>
>>  1. Self-signed Certificates to represent the Root Certificate itself;
>>  2. Certificates for Subordinate CAs and Cross Certificates;
>>  3. Certificates for infrastructure purposes (e.g. administrative
>>     role certificates, internal CA operational device certificates,
>>     and OCSP Response verification Certificates);
>>  4. Certificates issued solely for the purpose of testing products
>>     with Certificates issued by a Root CA; and
>>  5. Subscriber Certificates, provided that:
>>
>>      1. The Root CA uses a 1024-bit RSA signing key that was created
>>         prior to the Effective Date;
>>      2. The Applicant’s application was deployed prior to the
>>         Effective Date;
>>      3. The Applicant’s application is in active use by the Applicant
>>         or the CA uses a documented process to establish that the
>>         Certificate’s use is required by a substantial number of
>>         Relying Parties;
>>      4. The CA follows a documented process to determine that the
>>         Applicant’s application poses no known security risks to
>>         Relying Parties;
>>      5. The CA documents that the Applicant’s application cannot be
>>         patched or replaced without substantial economic outlay.
>>      6. The CA signs the Subscriber Certificate on or before June 30,
>>         2016; and
>>      7. The notBefore field in the Subscriber Certificate has a date
>>         on or before June 30, 2016
>>
>> /Proposed section 6.1.7/
>>
>> Private Keys corresponding to Root Certificates MUST NOT be used to 
>> sign Certificates except in the following cases:
>>
>>  1. Self-signed Certificates to represent the Root CA itself;
>>  2. Certificates for Subordinate CAs and Cross Certificates;
>>  3. Certificates for infrastructure purposes (administrative role
>>     certificates, internal CA operational device certificates)
>>  4. Certificates for OCSP Response verification;
>>
>> *These changes become Effective 30 days after the ballot passes.*
>>
>> *-- MOTION ENDS --*
>>
>> The procedure for this ballot is as follows (exact start and end 
>> times may be adjusted to comply with applicable Bylaws and IPR 
>> Agreement):
>>
>> BALLOT 189 Status: Amend BR 6.1.7
>>
>> 	
>>
>> Start time (22:00 UTC)
>>
>> 	
>>
>> End time (22:00 UTC)
>>
>> Discussion (7 days)
>>
>> 	
>>
>> 30 March 2017
>>
>> 	
>>
>> 6 April 2017
>>
>> Vote for approval (7 days)
>>
>> 	
>>
>> 6 April 2017
>>
>> 	
>>
>> 13 April 2017
>>
>> If vote approves ballot: Review Period (Chair to send Review Notice) 
>> (30 days)
>> If Exclusion Notice(s) filed, ballot approval is rescinded and PAG to 
>> be created.
>> If no Exclusion Notices filed, ballot becomes effective at end of 
>> Review Period.
>> Votes must be cast by posting an on-list reply to this thread on the 
>> Public Mail List.
>>
>> 	
>>
>> Upon filing of Review Notice by Chair
>>
>> 	
>>
>> 30 days after filing of Review Notice by Chair
>>
>> From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final 
>> Maintenance Guideline, such ballot will include a redline or 
>> comparison showing the set of changes from the Final Guideline 
>> section(s) intended to become a Final Maintenance Guideline, and need 
>> not include a copy of the full set of guidelines. Such redline or 
>> comparison shall be made against the Final Guideline section(s) as 
>> they exist at the time a ballot is proposed, and need not take into 
>> consideration other ballots that may be proposed subsequently, except 
>> as provided in Bylaw Section 2.3(j).
>>
>> Votes must be cast by posting an on-list reply to this thread on the 
>> Public list. A vote in favor of the motion must indicate a clear 
>> 'yes' in the response. A vote against must indicate a clear 'no' in 
>> the response. A vote to abstain must indicate a clear 'abstain' in 
>> the response. Unclear responses will not be counted. The latest vote 
>> received from any representative of a voting member before the close 
>> of the voting period will be counted. Voting members are listed here: 
>> https://cabforum.org/members/
>>
>> In order for the motion to be adopted, two thirds or more of the 
>> votes cast by members in the CA category and greater than 50% of the 
>> votes cast by members in the browser category must be in favor. 
>> Quorum is shown on CA/Browser Forum wiki. Under Bylaw 2.2(g), at 
>> least the required quorum number must participate in the ballot for 
>> the ballot to be valid, either by voting in favor, voting against, or 
>> abstaining.
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>
> -- 
> Arno Fiedler
> Nimbus Technologieberatung GmbH
> Reichensteiner Weg 17
> 14195 Berlin
> Mobil:      0049-(0)172-3053272
> Fax:        0049-(0)30-89745-777
> E-Mail:arno.fiedler at nimbus-berlin.com
> Web:www.nimbus-berlin.com
> Geschäftsführer:  Arno Fiedler
> USt-IdNr. :       DE 203 269 920
> D-U-N-S® Nr.      50-730-8117
> HandelsregisterNr:HRB 109409 B
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170413/eb631d06/attachment-0003.html>


More information about the Public mailing list