Integrate SC-56 and SC-58 (cabforum#409)

* Update README (cabforum#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (cabforum#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (cabforum#282) (cabforum#290)

* SC47 Sunset subject:organizationalUnitName (cabforum#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (cabforum#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (cabforum#285) (cabforum#302)

* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (cabforum#328)

* SC50 - Remove the requirements of 4.1.1 (cabforum#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (cabforum#330) (cabforum#338)

* Sunset SHA-1 for OCSP signing (cabforum#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (cabforum#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (cabforum#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (cabforum#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (cabforum#369)

* SC-54: Onion cleanup (cabforum#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses cabforum#240. Things are signed using private, not public keys.

* Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (cabforum#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses cabforum#240. Things are signed using private, not public keys.

* Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC-56: 2022 Cleanup (cabforum#401)

* SC-56: 2022 Cleanup (cabforum#385)

Ballot has passed; moving to SC56 branch for IPR

* cabforum#340

* cabforum#339

* cabforum#333

* cabforum#318

* cabforum#315

* cabforum#312

* cabforum#309

* cabforum#275

* cabforum#344

* cabforum#345

* cabforum#378

* cabforum#380

* cabforum#287

* cabforum#300

* cabforum#259

* cabforum#284

* cabforum#277

* cabforum#311

* cabforum#310

* Remove historical effective dates

* cabforum#196

* cabforum#251

* cabforum#212

* cabforum#386

* Grammatical improvement suggested by Wendy Brown

* Remove text for retired methods

* Switch to new tables tooling

* Fix broken section references

* Bump upload-artifact version

* Linkify US denied persons/entities list URLs

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update effective dates and tables

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-58: Require distributionPoint in sharded CRLs (cabforum#396) (cabforum#403)

* SC-58: Require distributionPoint in sharded CRLs (cabforum#396)

* SC-XX: Require distributionPoint in sharded CRLs

The language in RFC 5280 regarding the interaction between the
distributionPoint field of the Issuing Distribution Point CRL extension
and the existence of sharded CRLs has led to significant debate on
interpretation, and appears to contradict X.509.

To protect against replacement attacks, make it explicitly clear that
the Issuing Distribution Point extension and distributionPoint field are
required for sharded or partitioned CRLs.

* Remind readers that the IDP must be critical

* Change effective date to Jan 15

* Change effective date in Section 1.2 table, too

* Update BR.md

Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

.github/workflows/build-draft-docs.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.base.sha || github.event.push.before }}
           path: old/
-      - uses: docker://ghcr.io/sleevi/build-guidelines-action:tables
+      - uses: docker://ghcr.io/cabforum/build-guidelines-action:2.1.0
         id: build_doc
         with:
           markdown_file: docs/${{ matrix.document }}.md
@@ -28,7 +28,7 @@ jobs:
           docx: true
           lint: true
           draft: ${{ !(github.event_name == 'push' && github.repository == 'cabforum/servercert' && github.ref == 'refs/heads/main') }}
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v3
         with:
           name: ${{ matrix.document }}-${{ github.event.pull_request.head.sha || github.sha }}-${{ github.event_name }}
           path: |