Server Certificate Ballots
Open Ballots (GitHub Pull Requests)
- Created at Sep 10, 2024
- Created at Feb 23, 2024
…(#475)
- Clarify the use of third-party DNS recursive resolvers
Add a sentence to BRs Section 3.2.2.4 clarifying that the use of DNS recursive resolvers which are operated outside the CAs audit scope qualifies as use of a Delegated Third Party, which is forbidden for domain control validation.
- Include clarifications for Domain Contact and IP Address Contact
These are clarifications that the CA must obtain information to be used in the Domain Validation process directly from Domain Name Registrars or IP Address Registration Authorities. CAs must not use third-party services outside their audit scope.
Add the same DNS clarification to 3.2.2.5
Simplify references to Domain Contact
Consolidate new text into 3.2.2, and cover 3.2.2.8 CAA
Add effective date for CAA
Improve effective date table
Improve 1.3.2 effective date
Closed Ballots (GitHub Pull Requests)
- Created at May 20, 2024, merged on Jun 27, 2024baseline-requirementsThere have been numerous compliance incidents publicly disclosed by CAs in which they failed to comply with the technical requirements described in standards associated with the issuance and management of publicly-trusted TLS Certificates. However, the industry has developed open-source tools, linters, that are free to use and can help CAs avoid certificate misissuance. Using such linters before issuing a precertificate from a Publicly-Trusted CA (pre-issuance linting) can prevent the mis-issuance in a wide variety of cases.
- Created at May 20, 2024, merged on Aug 5, 2024baseline-requirements
Summary: This is the third version of SC-067, which intends to add “Multi-Perspective Domain Validation” and “Multi-Perspective CAA Checking” (together referred to as “Multi-Perspective Issuance Corroboration”) requirements to the CA/Browser Forum TLS Server Certificate Baseline Requirements.
This Pull Request:
- compares the latest version of SC-067 (Version 3) against Version 2.0.4 of the TLS Server Certificate Baseline Requirements.
- addresses issues and comments made against Ballot Version 2 of this effort during Server Certificate Working Group Public Discussion. A separate branch was created to help make changes across versions of the document clear to readers.
How can you help?
- Better: Add comments to this Pull Request.
- Best: Add suggested edits directly to this Pull Request.
Version History:
- Pre-Ballot Version 1 [branch, compare against SC-63 v3 (obsolete)]
- Pre-Ballot Version 2 [branch, compare against SC-63 v3 (obsolete)]
- Ballot Version 1 [branch, compare of Version 2 against Version 1 (obsolete)]
- Ballot Version 2 [branch, compare of Version 3 against Version 2]
Summary of recent updates (from Version 2 to Version 3):
Additional Notes:
- Some changes in this PR represent clean-ups (e.g., smart quotes -> regular quotes) unrelated to the primary scope of this Ballot (Multi-Perspective Issuance Corroboration).
- “MPDV Work Team” Work Plan (contains useful background and additional context).
- Previous Validation Subcommittee Update introducing this work.
Additional Resources:
On MPDV:
- How Effective is Multiple-Vantage-Point Domain Control Validation?
- Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt.
- Let’s Downgrade Let’s Encrypt
- Domain Validation++ For MitM-Resilient PKI
- APIs:
- Cloudflare: Multipath DCV service API
- Princeton: Open MPIC Project
On the problem space:
- A video describing the vulnerabilities these requirements intend to prevent.
- Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency
- Celer Bridge incident analysis
- Bamboozling Certificate Authorities with BGP
- Face-to-Face #58 (Presentation from Princeton Team)
- Securing Internet Applications from Routing Attacks
- Created at May 15, 2024, merged on Sep 2, 2024
- Update 8.4 to reference updated WebTrust document names
- Update formatting of section to better incorporate this addition
- Created at Apr 21, 2024, not mergedbaseline-requirementsClarify that CAs must follow the outline of Section 6 of RFC 3647 for their CP and/or CPS documents.
- Created at Apr 17, 2024, merged on May 6, 2024
- Created at Mar 13, 2024, merged on Apr 3, 2024
This ballot updates the TLS Extended Validation Guidelines (EVGs) by removing the exceptions to
policyQualifiers
in section 9.7, to align them with the Baseline Requirements (BRs).As result, this ballot changes
policyQualifiers
fromMUST
toNOT RECOMMENDED
as stated in the TLS Baseline Requirements, resolving a discrepancy introduced by Ballot SC-62v2 between section 7.1.2.7.9 Subscriber Certificate Policies of the BRs and the Additional Technical Requirements for EV Certificates in the EVGs.The following motion has been proposed by Paul van Brouwershaven (Entrust) and endorsed by Dimitris Zacharopoulos (HARICA) and Iñigo Barreira (Sectigo).
- Created at Feb 22, 2024, not merged
Summary: This is the first version of SC-067, which intends to add “Multi-Perspective Domain Validation” and “Multi-Perspective CAA Checking” (together referred to as “Multi-Perspective Issuance Corroboration”) requirements to the CA/Browser Forum TLS Server Certificate Baseline Requirements. Official public discussion is expected to begin the week after CA/Browser Forum F2F 61.
This Pull Request:
- compares the latest draft of SC-067 against Version 2.0.2 of the TLS Server Certificate Baseline Requirements.
- addresses issues and comments made against draft Version 2 (pre-ballot) (clean) of this effort. A separate branch was created to help make changes across versions of the document clear to readers, and due to owner of the earlier versions being on leave.
How can you help?
- Better: Add comments to this Pull Request.
- Best: Add suggested edits directly to this Pull Request.
Version History:
- Pre-Ballot Version 1 [ branch, compare against SC-63 v3 (obsolete)]
- Pre-Ballot Version 2 [ branch, compare against SC-63 v3 (obsolete)]
Summary of recent updates:
- Establishes requirements for the use of recursive DNS resolvers for remote Network Perspectives following discussions related to Ballot SC-070.
- Adds flexibility regarding how Network Perspectives may be operated to corroborate domain control validation.
- Permits re-use of MPIC CAA quorum for subdomains under certain conditions.
- Clarifies that Onion Names are outside of scope and exempt from MPIC requirements.
- Moves CAA-related requirements from Section 2.2 into Section 4.2.2.8 to address issue 466.
- Shifts back required implementation dates.
Additional Notes:
- Some changes in this PR represent clean-ups (e.g., smart quotes -> regular quotes) unrelated to the primary scope of this Ballot (Multi-Perspective Issuance Corroboration).
- “MPDV Work Team” Work Plan (contains useful background and additional context).
- Previous Validation Subcommittee Update introducing this work.
Additional Resources:
On MPDV:
- How Effective is Multiple-Vantage-Point Domain Control Validation?
- Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt.
- Let’s Downgrade Let’s Encrypt
- Domain Validation++ For MitM-Resilient PKI
- APIs:
- Cloudflare: Multipath DCV service API
- Princeton: Open MPIC Project
On the problem space:
- A video describing the vulnerabilities these requirements intend to prevent.
- Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency
- Celer Bridge incident analysis
- Bamboozling Certificate Authorities with BGP
- Face-to-Face #58 (Presentation from Princeton Team)
- Securing Internet Applications from Routing Attacks
- Created at Feb 1, 2024, merged on Mar 4, 2024Updating the EVG according to ballot SC68
- Created at Jan 29, 2024, merged on Mar 13, 2024
- Created at Jan 18, 2024, merged on Feb 23, 2024
Add a paragraph to BRs Section 3.2.2 clarifying that all Domain Control Validation DNS queries must be conducted by the CA itself, without the use of third-party recursive resolvers. Similarly clarify that looking up information for Domain Contacts and IP Address Contacts must also be done without third-party services.
Require that CAA checks be performed by the CA itself, and not delegated to a third party.
- Created at Dec 21, 2023, not merged
In light of https://bugzilla.mozilla.org/show_bug.cgi?id=1865080, this ballot ensures that all readers of the BRs understand that time periods measured in days (such as validation document reuse periods, random value usage periods, and revocation timelines) are measured precisely, not in calendar days.
Notes:
- This ballot bears some similarity to Ballot SC-52, which never came to a vote.
- This ballot does not strictly define a “month”, allowing infrequent tasks to continue to be executed on the same numeric day of each month, regardless of the number of days in that month.
- Created at Jul 14, 2023, merged on Mar 15, 2024
The Extended Validation Certificates guidelines (EVGs) were developed and written in a specific format. Since then, the RFC 3647 has been the basis (and the de-facto standard) for the CA/Browser Forum to develop other documents.
This ballot aims to update the EVGs to follow the RFC 3647 format without changing any content, just moving current sections to those defined in the RFC 3647. There are no normative requirements changes.
This change also affects the Baseline Requirements for TSL certificates (BRs) which needs to point to the new sections of the EVGs. Both documents will be updated according to the latest version published.
Passed Ballots
- Ballot SC-77: Update WebTrust Audit name in Section 8.4 and References
- Ballot SC-67 v3: Require domain validation and CAA checks to be performed from multiple Network Perspectives Corroboration
- Ballot SC-75: Pre-sign linting
- Ballot SC-73: Compromised and weak keys
- Ballot SC-72: Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED
- Ballot SC-65v2: Convert EVGs into RFC 3647 format
- Ballot SC-69: Clarify router and firewall logging requirements
- Ballot SC-70: Clarify the use of DTPs for Domain Control Validation
- Ballot SC-68: Allow VATEL and VATXI for organizationIdentifier
- Ballot SC-066 v4: Fall 2023 Clean up
- Ballot SC-063 v4: Make OCSP Optional, Require CRLs, and Incentivize Automation
- Ballot SC-59v2: Weak key guidance
- Ballot SC-64: Temporary Moratorium on New Certificate Consumer Memberships
- Ballot SC62v2-Certificate profiles update
- Ballot SC61v4 – New CRL Entries must have a Revocation Reason Code
- Ballot SC60: Membership of ZT Browser
- Ballot SC58 – Require distributionPoint in sharded CRLs
- Ballot SC56: 2022 Cleanup
- Ballot SC54: Onion Cleanup
- Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements
- Ballot SC53: Sunset for SHA-1 OCSP Signing
- Ballot SC-52 v 2: Specify CRL Validity Intervals in Seconds
- Ballot SC50: Remove the requirements of section 4.1.1
- Ballot SC49: Special Election for Server Certificate Working Group Vice-Chair
- Ballot SC48 v2: Domain Name and IP Address Encoding
- Ballot SC47v2: Sunset subject:organizationalUnitName
- Ballot SC45: Wildcard Domain Validation
- Ballot SC46: Sunset the CAA exception for DNS Operator
- Ballot SC44: Clarify Acceptable Status Codes
- Ballot SC42: 398-day Re-use Period
- Ballot SC43 – Clarify Acceptable Status Codes
- Ballot SC41: Reformatting the BRs, EVGs, and NCSSRs
- Ballot SC37: Election of Server Certificate Working Group Vice Chair
- Ballot SC39v3: Definition of Critical Vulnerability
- Ballot SC40 – Security Requirements for Air-Gapped CA Systems
- Ballot SC38: Alignment of Record Archival
- Special Ballot CSCWG-5: Election of Code Signing Certificate Working Group Vice Chair
- Ballot SC34 – Account Management
- Ballot CSCWG-3: Election of Code Signing Certificate Working Group Chair
- Ballot SC36: Election of Server Certificate Working Group Chair
- Ballot SC28: Logging and Log Retention
- Ballot SC35: Cleanups and Clarifications
- Ballot SC33: TLS Using ALPN Method
- Ballot SC32 – NCSSRs Zones
- Ballot CSCWG-2: Combine Baseline and EV Code Signing Documents
- Ballot SC30v2: Disclosure of Registration / Incorporating Agency
- Ballot SC31: Browser Alignment
- Ballot SC29v3: System Configuration Management
- Ballot SC26v2: Pandoc-Friendly Markdown Formatting Changes
- Ballot SC20: System Configuration Management
- Ballot SC27v3: Version 3 Onion Certificates
- Ballot SC25: Define New HTTP Domain Validation Methods v2
- Ballot SC23 V3 – Precertificates
- Ballot SC24: Fall Cleanup V2
- Ballot SC21 – the Network and Certificate Systems Security Requirements section 3 (Log Integrity Controls)
- Ballot SC22 – Reduce Certificate Lifetimes (v2)
- Ballot FORUM-9: Bylaws and Server Certificate Working Group Charter Updates
- Ballot SC19: Phone Contact with DNS CAA Phone Contact v2
- Ballot SC17 version 7: Alternative registration numbers for EV certificates
- Ballot SC18: Phone Contact with DNS CAA Phone Contact
- Ballot SC16: Other Subject Attributes
- Ballot SC7: Update IP Address Validation Methods
- Ballot SC15: Remove Validation Method Number 9
- Ballot SC14: Updated Phone Validation Methods
- Ballot SC13: CAA Contact Property and Associated E-mail Validation Methods
- Ballot SC12: Sunset of Underscores in dNSNames
- Ballot SC4: CAA Contact Property and Associated E-mail Validation Method
- Ballot Forum-7: Update ETSI requirements in SCWG Charter
- Ballot SC-10: Establishing the Network Security Subcommittee of the SCWG
- Ballot SC-9: Establish the Validation Subcommittee of the SCWG
- Ballot SC5 – Election of Wayne Thayer as SCWG Vice Chair
- Ballot SC11 – Update ETSI requirements in the SCWG Charter
- Ballot SC6 – Revocation Timeline Extension
- Ballot SC8 – Election of Dimitris Zacharopoulos as SCWG Chair
- Ballot SC3: Two-Factor Authentication and Password Improvements
- Ballot SC-1: [Empty]
- Ballot SC2 – Validating Certificates via CAA CONTACT
- Ballot 221 – Two-Factor Authentication and Password Improvements
- Ballot 224: WHOIS and RDAP
- Ballot 223 – Update BR Section 8.4 for CA audit criteria
- Ballot 222 – Remove “Any other method” for IP Address validation
- Ballot 219 – Clarify handling of CAA Record Sets with no “issue”/”issuewild” property tag
- Ballot 220 – Minor Cleanups (Spring 2018)
- Ballot 218 – Remove validation methods 1 and 5
- Ballot 217 – Sunset RFC 2527
- Ballot 208 – dnQualifiers
- Ballot 207 – ASN.1 Jurisdiction in EV Guidelines
- Ballot 209 – EV Liability
- Ballot 215 – Fix Ballot 190 Errata
- Ballot 213 – Revocation Timeline Extension
- Ballot 211 – Resolution of Approval for WTCA v2.1 Changes
- Ballot 214 – CAA Discovery CNAME Errata
- Ballot 190 – Revised Validation Requirements
- Ballot 212 – Canonicalise formal name of the Baseline Requirements
- Ballot 210 – Misc. Changes to the NCSSR
- Ballot 202 – Underscore and Wildcard Characters
- Ballot 204 – Forbid DTPs from doing Domain/IP Ownership
- Ballot 192 – Notary Revision
- Ballot 201 – .onion Revisions
- Ballot 191 – Clarify Place of Business Information
- Ballot 199 – Require commonName in Root and Intermediate Certificates
- Ballot 198 – .Onion Revisions
- Ballot 197 – Effective Date of Ballot 193 Provisions
- Ballot 196 – Define “Audit Period”
- Ballot 195 – CAA Fixup
- Ballot 189 – Amend Section 6.1.7 of Baseline Requirements
- Ballot 194 – Effective Date of Ballot 193 Provisions
- Ballot 193 – 825-day Certificate Lifetimes
- Ballot 187 – Make CAA Checking Mandatory
- Ballot 188 – Clarify use of term “CA” in Baseline Requirements
- Ballot 185 – Limiting the Lifetime of Certificates
- Ballot 186 – Limiting the Reuse of Validation Information
- Ballot 184 – RFC822 Names and otherNames
- Ballot 182 – Readopting BR 3.2.2.4 (Part 2)
- Ballot 181 – Readopting BR 3.2.2.4 (Part 1)
- Ballot 180 – Readopting the BRs, EVGL, EV Code Signing, and NCSSR Guidelines with Amendments
- Ballot 176 – Addition of CNAME verification to domain validation methods
- Ballot 175 – Addition of given name and surname
- Ballot 174 – Reform of Requirements Relating to Conflict with Local Laws
- Ballot 169 – Revised Validation Requirements
- Ballot 173 – Removal of requirement to cease use of private key due to incorrect certificate info
- Ballot 171 – Updating the ETSI standards in the CABF documents
- Ballot 170 – Amend Section 5.1 of Baseline Requirements
- Ballot 168 – Baseline Requirement Corrections – revised
- Ballot 167 – Baseline Requirements Corrections
- Ballot 164 – Certificate Serial Number Entropy
- Ballot 163 – Fix Errata in EV Guidelines 11.2.1
- Ballot 162 – Sunset of Exceptions
- Ballot 161 – Notification of incorrect issuance
- Ballot 160 – Amend Section 4 of Baseline Requirements
- Ballot 159 – Amend Section 4 of Baseline Requirements
- Ballot 156 – Amend Sections 1 and 2 of Baseline Requirements
- Ballots 154 and 155 – Convert to RFC 3647 Framework and GitHub
- Ballot 155 – Convert Network and Certificate System Security Requirements to RFC 3647 Framework and GitHub
- Ballot 153 – Short-Lived Certificates
- Ballot 152 – SHA-1 Deprecation
- Ballot 151 – Addition of Optional OIDs for Indicating Level of Validation
- Ballot 150 – OID Revisions
- Ballot 147 – Attorney Accountant Letter Changes
- Ballot 146 – Convert Baseline Requirements to RFC 3647 Framework
- Ballot 148 – Issuer Field Correction
- Ballot 145 – Operational Existence for Government Entities
- Ballot 144 – Validation rules for .onion names
- Ballot 143 – Formalization of Validation Working Group
- Ballot 142 – Elimination of EV Insurance Requirement
- Ballot 141 – Elimination of EV Insurance Requirement; Financial Responsibility for Mis-Issued Certificates
- Ballot 140 – Short-Life Certificates
- Ballot 133 – Insurance Requirements for EV Issuers
- Ballot 135 – ETSI Auditor Qualifications (passed)
- Ballot 134 – Application of RFC 5280 to Pre-certificates
- Ballot 123 – Reuse of Information (passed)
- Ballot 118 – SHA-1 Sunset (passed)
- Ballot 125 – CAA Records (passed)
- Ballot 131 – Update to Verified Method of Communication (passed)
- Ballot 129 – PSL in BR 11.1.3 (passed)
- Ballot 126 – Operational Existence (passed)
- Ballot 127 – Verification of Agency in EV Guidelines 11.7.2 (passes)
- Ballot 128 – CP Review Working Group (passes)
- Ballot 124 – Business Entity Clarification (passed)
- Ballot 120 – Affiliate Authority to Verify Domain (passed)
- Ballot 122 – Verified Method of Communication (failed)
- Ballot 121 – EV Guidelines Insurance Requirements(failed)
- Ballot 112 – Replace Definition of “Internal Server Name” with “Internal Name”(passed)
- Ballot 119 – Remove “OfIncorporation” from OID descriptions in EVG 9.2.5(passed)
- Ballot 114 – Improvements to the EV Definitions(passed)
- Ballot 89 – Publish Recommendations for the Processing of EV SSL Certificates v.2(passes)
- Ballot 113 – Revision to QIIS in EV Guidelines(passes)
- Ballot 111 – Accelerate Max Certificate Lifetime Reduction Timetable
- Ballot 107 – Removing Version Numbers to WebTrust and ETSI Standards From CABF Guidelines
- Ballot 108 – Defining the Scope of the Baseline Requirements
- Ballot 106 – Extended Deadline to Prohibit OCSP “Good” Response for Non-Issued Certificates
- Ballot 105 – Technical Constraints for Subordinate Certificate Authorities Yielding Broader and Safer PKI Adoption.
- Ballot 104 – EV Domain Validation
- Ballot 103 – OCSP AIA and TLS Feature Extension
- Ballot 101 – EV 11.10.2 Accountants
- Ballot 102 – BR 9.2.3 domainComponent
- Ballot 100 – Extend Deadline – OCSP Good Response
- Ballot 99 – Add DSA Keys
- Ballot 97 – Prevention of Unknown Certificate Contents
- Ballot 96 – Wildcard Certificates and New gTLDs
- Ballot 92 – Subject Alternative Names
- Ballot 93 – Reasons for Revocation (BR issues 6, 8, 10, 21)
- Ballot 88 – BR_9_2_4_Errata-ISO3166
- Ballot 86 – Errata plus ISO3166
- Ballot 84 – ISO 3166-1 User-assigned codes
- Ballot 83 – Adopt Network and Certificate System Security Requirements
- Ballot 80 – Response for Non-Issued Certificates
- Ballot 81 – Required Format for Amendments to Existing Standards or Requirements
- Ballot 69 – Individual Validation Policy
- Ballot 78 – Updates to Domain and IP Validation, High Risk Requests, and Data Source in the Baseline Requirements
- Ballot 76 – Public Review of Network Security Controls
- Ballot 75 – NameConstraints Criticality Flag
- Ballot 74 – Updates to Domain and IP Validation, High Risk Requests, and Data Source in the Baseline Requirements
- Ballot 72 – Reorganize EV Documents
- Ballot 71 – Auditor Qualification Requirements
- Ballot 68- No Unknown Contents
- Ballot 95 – Guidance on Deprecated Internal Names
- Ballot 64 Revised – Recognized Existence
- Ballot 65 – QIIS Definition Update
- Ballot 62 – Adopt Baseline Requirements Draft 50
- Ballot 61 – Verification Requirements for Parent Subsidiary
- Ballot 60 – Verification Requirements for Parent Subsidiary
- Ballot 58 – Operational Existence Through Parent Subsidiary
- Ballot 57 – Verifying Agency Through Confirmation of Employment Using QIIS or QGIS
- Ballot 59 – Public Review of v. 30b of the Baseline Requirements
- Ballot 56 – QGIS Contact Information
- Ballot 55 – Romanization of Japanese Corporate Names
- Ballot 54 – EV 1-3 Adoption
- Ballot 53 – Contract Signer Self-Asserted Authority
- Ballot 52 – Contract Signer Self-Asserted Authority
- Ballot 51 – Notaries
- Ballot 50 – 64-Character “O” Field
- Ballot 49 – New Certificate for Existing Subscriber
- Ballot 48 – Telephone Number at Place of Business
- Ballot 47 – Document Aging
- Ballot 46 – Audit Report Availability Timing
- Ballot 45 – Verification of Authority
- Ballot 44 – IFAC Membership
- Ballot 43 – Business Categories
- Ballot 42 – Principal Individual
- Ballot 41 – Auditing Report Publication
- Ballot 40 – Terms of Use
- Ballot 37 – Another QGIS
- Ballot 36 – Public WHOIS Information
- Ballot 35 – Role Requirements
- Ballot 34 – Adopt EV Guidelines draft 03 as Version 1.2
- Ballot 30 – Reserved Domain Names
- Ballot 31 – Allow ETSI 102 042
- Ballot 33- Subject Attribute Requirements
- Ballot 32 – Revocation for Well-Known Private Key
- Ballot 29 – Guidelines Renumbering
- Ballot 27 – Alternatives for Verifying Domain Control
- Ballot 25 – PolicyQualifierld
- Ballot 26 – Certificate Reissuance
- Ballot 24 – Acceptable Audits in EV Processing Guidelines
- Ballot 23 – EV Processing Guidelines
- Ballot 22 – RSA 1024 Retirement
- Ballot 21 – Phone Number at Place of Business
- Ballot 19 – Authoritative Time Source
- Ballot 18 – Pre-Approved Requests
- Ballot 17 – Maximum Validity Period
- Ballot 16- Unverified Content
- Ballot 15 – Certificate Renewal
- Ballot 14 – Allowed EKUs
- Ballot 13 – QGIS for Place of Business
- Ballot 12 – Adoption of Guidelines v1.1
- Ballot 11 – Prior Equivalent Authority
- Ballot 10 – Non-Latin Names
- Ballot 8 – Foreign Organization Name
- Ballot 7 – Parent Subsidiary