[cabfpub] REVISED Notice of Review Period - Ballot 189

Kirk Hall Kirk.Hall at entrustdatacard.com
Sat Apr 15 09:52:33 MST 2017


The Notice of Review Period sent yesterday included the text of Ballot 189 as it existed during the discussion period.  The ballot was modified just before the start of the voting period.  As a result, here is a REVISED Notice of Review Period for Ballot 189 including the final ballot language as revised.


REVISED NOTICE OF REVIEW PERIOD - BALLOT 189

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum's Intellectual Property Rights Policy (v1.2).  This Review Period is for Final Maintenance Guidelines (30 day Review Period).  A complete draft of the Draft Guideline that is the subject of this Review Notice is attached.

Date Review Notice Sent:     April 15 2017

Ballot for Review:                  Ballot 189

Start of Review Period:         April 15, 2017 at 22:00 UTC

End of Review Period:           May 15, 2017 at 22:00 UTC

Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to kirk.hall at entrustdatacard.com<mailto:kirk.hall at entrustdatacard.com> before the end of the Review Period.  See current version of CA/Browser Forum Intellectual Property Rights Policy for details.

(Optional form of Exclusion Notice is attached)

Ballot 189 - Amend Section 6.1.7 of Baseline Requirements

The following motion has been proposed by Dimitris Zacharopoulos of HARICA and endorsed by Bruce Morton of Entrust and Jeremy Rowley of Digicert

Background:

Section 6.1.7 of the Baseline Requirements states that the Root CA Private Keys MUST NOT be used to sign end-entity certificates, with some exceptions. It is unclear if this exception list includes end-entity certificates with EKU id-kp-timeStamping. This ballot attempts to clarify two things:

  1.  that it affects Root Keys in a hierarchy that issues SSL Certificates and
  2.  that it does not include time stamping certificates in the exception list.

It also clears the exception language for 1024-bit RSA Subscriber Certificates and testing products with Certificates issued by a Root.

-- MOTION BEGINS --

Current section 6.1.7

Root CA Private Keys MUST NOT be used to sign Certificates except in the following cases:

  1.  Self-signed Certificates to represent the Root Certificate itself;
  2.  Certificates for Subordinate CAs and Cross Certificates;
  3.  Certificates for infrastructure purposes (e.g. administrative role certificates, internal CA operational device certificates, and OCSP Response verification Certificates);
  4.  Certificates issued solely for the purpose of testing products with Certificates issued by a Root CA; and
  5.  Subscriber Certificates, provided that:
     *   The Root CA uses a 1024-bit RSA signing key that was created prior to the Effective Date;
     *   The Applicant's application was deployed prior to the Effective Date;
     *   The Applicant's application is in active use by the Applicant or the CA uses a documented process to establish that the Certificate's use is required by a substantial number of Relying Parties;
     *   The CA follows a documented process to determine that the Applicant's application poses no known security risks to Relying Parties;
     *   The CA documents that the Applicant's application cannot be patched or replaced without substantial economic outlay.
     *   The CA signs the Subscriber Certificate on or before June 30, 2016; and
     *   The notBefore field in the Subscriber Certificate has a date on or before June 30, 2016

Proposed section 6.1.7

Private Keys corresponding to Root Certificates MUST NOT be used to sign Certificates except in the following cases:

  1.  Self-signed Certificates to represent the Root CA itself;
  2.  Certificates for Subordinate CAs and Cross Certificates;
  3.  Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates)
  4.  Certificates for OCSP Response verification;

These changes become Effective 30 days after the ballot passes.

-- MOTION ENDS --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170415/ee870db2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot 189 - REVISED Review Notice and Exclusion Notice Template (15 Apr....pdf
Type: application/pdf
Size: 494456 bytes
Desc: Ballot 189 - REVISED Review Notice and Exclusion Notice Template (15 Apr....pdf
URL: <http://cabforum.org/pipermail/public/attachments/20170415/ee870db2/attachment-0001.pdf>


More information about the Public mailing list