[Servercert-wg] Ballot SC-74 - Clarify CP/CPS structure according to RFC 3647

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed May 8 15:36:44 UTC 2024


Thanks Aaron,

Would it be ok for you to create a GitHub issue 
<https://github.com/cabforum/servercert/issues> to identify the specific 
sections that deviate in content? We might tackle that in a cleanup 
ballot. I don't think the capitalization is so much of a concern but if 
others think it is, please speak up :)


Dimitris.

On 8/5/2024 1:19 π.μ., Aaron Gable wrote:
> Two notes on this ballot, findings from our process for handling 
> upcoming requirements:
>
> 1) Let's Encrypt has created and open-sourced a tool 
> <https://github.com/letsencrypt/cp-cps/tree/d5b258a/tools/lint> for 
> linting a CPS to confirm compliance with RFC 3647 Section 6 and Ballot 
> SC-074. If you maintain your CPS document in markdown, it should be 
> very simple to use or adapt to your particular situation.
>
> 2) The Baseline Requirements themselves do not quite comply with RFC 
> 3647 Section 6, with several section titles that deviate from that 
> outline in either capitalization or actual content.
>
> We hope this information is helpful to others,
> Aaron
>
> On Thu, Apr 25, 2024 at 9:27 AM Dimitris Zacharopoulos (HARICA) via 
> Servercert-wg <servercert-wg at cabforum.org> wrote:
>
>
>       SC-74 - Clarify CP/CPS structure according to RFC 3647
>
>
>         Summary
>
>     The TLS Baseline Requirements require in section 2.2 that:
>
>     /"The Certificate Policy and/or Certification Practice Statement
>     MUST be structured in accordance with RFC 3647 and MUST include
>     all material required by RFC 3647."/
>
>     The intent of this language was to ensure that all CAs' CP and/or
>     CPS documents contain a similar structure, making it easier to
>     review and compare against the BRs. However, there was some
>     ambiguity as to the actual structure that CAs should follow. After
>     several discussions in the SCWG Public Mailing List
>     <https://lists.cabforum.org/pipermail/servercert-wg/2023-November/004070.html>
>     and F2F meetings, it was agreed that more clarity should be added
>     to the existing requirement, pointing to the outline described in
>     section 6 of RFC 3647.
>
>     The following motion has been proposed by Dimitris Zacharopoulos
>     (HARICA) and endorsed by Aaron Poulsen (Amazon) and Tim Hollebeek
>     (Digicert).
>
>     You can view the github pull request representing this ballot here
>     <https://github.com/cabforum/servercert/pull/503>.
>
>
>         Motion Begins
>
>     MODIFY the "Baseline Requirements for the Issuance and Management
>     of Publicly-Trusted TLS Server Certificates" based on Version
>     2.0.4 as specified in the following redline:
>
>       * https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2...f6a90e2a652fbb7a2d62a976b70f4af3adce8dae
>
>
>
>         Motion Ends
>
>     This ballot proposes a Final Maintenance Guideline. The procedure
>     for approval of this ballot is as follows:
>
>
>             Discussion (at least 7 days)
>
>       * Start time: 2024-04-25 16:30:00 UTC
>       * End time: on or after 2024-05-02 16:30:00 UTC
>
>
>             Vote for approval (7 days)
>
>       * Start time: TBD
>       * End time: TBD
>
>
>     _______________________________________________
>     Servercert-wg mailing list
>     Servercert-wg at cabforum.org
>     https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240508/652c9668/attachment.html>


More information about the Servercert-wg mailing list