[cabf_validation] Ballot 202: The Return

Ryan Sleevi sleevi at google.com
Fri Jun 11 14:30:29 UTC 2021


On Fri, Jun 11, 2021 at 10:26 AM Corey Bonnell via Validation <
validation at cabforum.org> wrote:

> Hello,
>
> As you all know, Ballot 202 [1] failed a few years ago and since then
> there are certain areas where requirements are unclear. To address these
> issues, I drafted a ballot here:
> https://github.com/cabforum/servercert/pull/285.
>
>
>
> In summary, there are three normative changes:
>
>
>
> Effective immediately upon passage:
>
>    - Prohibition on Unicode representation (“U-labels”) of Domain Labels
>    in subject CN
>
>
>
> Proposed effective October 1st, 2021:
>
>    - All Domain Labels that begin with “xn--”must be followed by valid
>    output of the Punycode encoding algorithm.
>    - Domain Labels that have hyphens as the third and fourth characters
>    must have “xn” (case insensitive) as the first two characters (e.g.,
>    “zz—foo” is not allowed).
>
>
>
> Judging from some analysis of CT logs, the prohibition on U-labels and
> XN-labels with invalid Punycode output affects very few certificates (~100
> valid certificates in CT). The prohibition on non-XN-label Reserved LDH
> labels will be more impactful (several thousand certificates).
>
>
>
> Ryan has provided feedback on the ballot text (thanks!) on Github and also
> raised the question whether this ballot should be incorporated in the
> profiles ballot. My thinking is that we should propose this separately, as
> doing so will reduce the number of normative changes introduced by the
> profiles ballot, which will make it easier for CAs to process and update
> their operations accordingly. Additionally, all the concepts proposed in
> this ballot have been previously discussed during Ballot 202 discussion, so
> this ballot is essentially “self-contained”. I am interested to hear what
> the group thinks, both in terms of whether this work should be incorporated
> in the profiles ballot, and on the draft ballot content itself (especially
> effective dates).
>
>
>
> Thanks,
>
> Corey
>

Hey Corey,

I think we're happy to endorse either way, and I'll do another detailed
pass, although the quick skim of your more recent edits all look great.

As mentioned, the profiles integration is largely selfish - trying to
maintain two versions of profiles with and without this draft would be
unfortunate and a fair bit of work. That said, I definitely want to make
forward progress on as much as we can, so if we can get this started sooner
than later (i.e. without months of discussion, as some ballots seem to
unfortunately take), all the better!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210611/8cc9329d/attachment-0001.html>


More information about the Validation mailing list