[cabfpub] Notice of Review Period - Ballot 189

Kirk Hall Kirk.Hall at entrustdatacard.com
Fri Apr 14 10:24:47 MST 2017


NOTICE OF REVIEW PERIOD - BALLOT 189

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's Intellectual Property Rights Policy (v1.2).  This Review Period is for Final Maintenance Guidelines (30 day Review Period).  A complete draft of the Draft Guideline that is the subject of this Review Notice is attached.

Date Review Notice Sent:        April 14, 2017

Ballot for Review:                    Ballot 189

Start of Review Period:           April 14, 2017 at 22:00 UTC

End of Review Period:             May 14, 2017 at 22:00 UTC

Note: Assuming no Exclusion Notices are filed, we will substitute the date "August 14, 2017" for the words "3 months after the ballot passes" in the updated Baseline Requirements as follows:

"Effective 3 months after the ballot passes August 14, 2017, Certificates for Time Stamping end-entity Certificates SHALL NOT be directly issued from these Root Certificates."

Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to kirk.hall at entrustdatacard.com<mailto:kirk.hall at entrustdatacard.com> before the end of the Review Period.  See current version of CA/Browser Forum Intellectual Property Rights Policy for details.

(Optional form of Exclusion Notice is attached)


Ballot 189 - Amend Section 6.1.7 of Baseline Requirements

-- MOTION BEGINS --

Current section 6.1.7

Root CA Private Keys MUST NOT be used to sign Certificates except in the following cases:

  1.  Self-signed Certificates to represent the Root Certificate itself;
  2.  Certificates for Subordinate CAs and Cross Certificates;
  3.  Certificates for infrastructure purposes (e.g. administrative role certificates, internal CA operational device certificates, and OCSP Response verification Certificates);
  4.  Certificates issued solely for the purpose of testing products with Certificates issued by a Root CA; and
  5.  Subscriber Certificates, provided that:
     *   The Root CA uses a 1024-bit RSA signing key that was created prior to the Effective Date;
     *   The Applicant's application was deployed prior to the Effective Date;
     *   The Applicant's application is in active use by the Applicant or the CA uses a documented process to establish that the Certificate's use is required by a substantial number of Relying Parties;
     *   The CA follows a documented process to determine that the Applicant's application poses no known security risks to Relying Parties;
     *   The CA documents that the Applicant's application cannot be patched or replaced without substantial economic outlay.
     *   The CA signs the Subscriber Certificate on or before June 30, 2016; and
     *   The notBefore field in the Subscriber Certificate has a date on or before June 30, 2016

Proposed section 6.1.7

Private Keys corresponding to Root Certificates that participate in a hierarchy that issues Certificates with an extKeyUsage extension that includes the value id-kp-serverAuth [RFC5280] MUST NOT be used to sign Certificates except in the following cases:

  1.  Self-signed Certificates to represent the Root CA itself;
  2.  Certificates for Subordinate CAs and Cross Certificates;
  3.  Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates)
  4.  Certificates for OCSP Response verification;

Effective 3 months after the ballot passes, Certificates for Time Stamping end-entity Certificates SHALL NOT be directly issued from these Root Certificates.
-- MOTION ENDS --


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170414/56625ff7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot 189 - Review Notice and Exclusion Notice Template.pdf
Type: application/pdf
Size: 498046 bytes
Desc: Ballot 189 - Review Notice and Exclusion Notice Template.pdf
URL: <http://cabforum.org/pipermail/public/attachments/20170414/56625ff7/attachment-0001.pdf>


More information about the Public mailing list