Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Baseline Requirements: Add a section to 9.6.3's Subscriber Agreement regarding 4.9.1.1 #172

Closed
sleevi opened this issue Mar 24, 2020 · 0 comments
Closed

Baseline Requirements: Add a section to 9.6.3's Subscriber Agreement regarding 4.9.1.1 #172

sleevi opened this issue Mar 24, 2020 · 0 comments
Labels
baseline-requirements Server Certificate CWG - Baseline Requirements enhancement

Comments

@sleevi
Copy link
Contributor

sleevi commented Mar 24, 2020

Currently, the Baseline Requirements require that the Subscriber Agreement includes the following:

8. Acknowledgment and Acceptance: An acknowledgment and acceptance that the CA is
entitled to revoke the certificate immediately if the Applicant were to violate the terms of
the Subscriber Agreement or Terms of Use or if the CA discovers that the Certificate is
being used to enable criminal activities such as phishing attacks, fraud, or the distribution
of malware.

However, this does not require that the Subscriber accepts that the CA is entitled to revoke for any of the reasons stated within their CP/CPS or Section 4.9.1.1 (or, indirectly, through 4.9.1.2). It only places the acceptance based on the Subscriber actions, without recognizing that the CA may have cause to revoke for CA-related actions.

One possible suggestion is:

8. Acknowledgment and Acceptance: An acknowledgment and acceptance that the CA is
entitled to revoke the certificate immediately if the Applicant were to violate the terms of
the Subscriber Agreement or Terms of Use or if the CA is determines revocation is
necessary according to these Baseline Requirements.

While more wordsmithing and discussion is needed, within the CA/Browser Forum, the replaced clause is already addressed within the CA's Baseline Requirements, and any CA-specific modifications are addressed by 4.9.1.1 requiring revocation MUST happen within 5 days if

  1. Revocation is required by the CA's Certificate Policy and/or Certification Practice Statement;
sleevi added a commit to sleevi/cabforum-docs that referenced this issue Apr 1, 2020
@sleevi
Clarify that revocation is permitted if required by CP/CPS/BRs
4cdc4e1 
Closes cabforum#172
@sleevi sleevi mentioned this issue May 14, 2020
Closed
@sleevi sleevi added the baseline-requirements Server Certificate CWG - Baseline Requirements label Jun 18, 2020
sleevi added a commit to sleevi/cabforum-docs that referenced this issue Jul 27, 2020
@sleevi
Clarify that revocation is permitted if required by CP/CPS/BRs
2c0171f 
Closes cabforum#172
sleevi added a commit to sleevi/cabforum-docs that referenced this issue Jul 27, 2020
@sleevi
Clarify that revocation is permitted if required by CP/CPS/BRs
3376c84 
Closes cabforum#172
This was referenced Aug 6, 2020
Closed
Merged
sleevi added a commit to sleevi/cabforum-docs that referenced this issue Aug 25, 2020
@sleevi
Clarify that revocation is permitted if required by CP/CPS/BRs
5319bd4 
Closes cabforum#172
dzacharo pushed a commit that referenced this issue Sep 14, 2020
@sleevi @CBonnell @clintwilson
SC35: Cleanups and Clarifications (#208)
159974e 
* Cleanup typos and issues from SC17

Closes #152

* Fix an incorrect reference from 3.2.5 to 3.2.2.5

Closes #155

* Fix typo: compliancy -> compliance

Closes #159

* Cleanup old effective date for CP/CPSes

Closes #161

* Update effective date for 3.2.2.4.6

Closes #163

* Move weak key lookups into 24-hour revocation

Closes #164

* Align Section 6.1.1.3 with 4.9.1.1

Closes #171

* Replace RFC 6844 with RFC 8659

Closes #168

* Clarify that revocation is permitted if required by CP/CPS/BRs

Closes #172

* Correct links to US gov't denial lists

Closes #76

* Add a definition for CA Key Pair

#127

* Clarify CA Key Pair generation (#23)

Close #184

* Attempt to clarify policy OIDs (#21)

Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates

* Fixup formatting issues in the PDF

* Fix issues spotted by Corey

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Cleanup EVG terminology

* Clarify organizationIdentifier contents

As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html

* Apply further suggestions from Corey

Correct Subscriber -> Applicant in additional places

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Spelling, formatting, punctuation improvements (#31)

* Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used
* MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4)
* More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*')
* More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage)
* Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*)
* Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.)

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
@dzacharo dzacharo mentioned this issue Sep 14, 2020
Merged
dzacharo added a commit that referenced this issue Sep 14, 2020
@dzacharo @sleevi
@CBonnell @clintwilson
SC35: Cleanups and Clarifications (#208) (#213)
41dbc4a 
* Cleanup typos and issues from SC17

Closes #152

* Fix an incorrect reference from 3.2.5 to 3.2.2.5

Closes #155

* Fix typo: compliancy -> compliance

Closes #159

* Cleanup old effective date for CP/CPSes

Closes #161

* Update effective date for 3.2.2.4.6

Closes #163

* Move weak key lookups into 24-hour revocation

Closes #164

* Align Section 6.1.1.3 with 4.9.1.1

Closes #171

* Replace RFC 6844 with RFC 8659

Closes #168

* Clarify that revocation is permitted if required by CP/CPS/BRs

Closes #172

* Correct links to US gov't denial lists

Closes #76

* Add a definition for CA Key Pair

#127

* Clarify CA Key Pair generation (#23)

Close #184

* Attempt to clarify policy OIDs (#21)

Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates

* Fixup formatting issues in the PDF

* Fix issues spotted by Corey

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Cleanup EVG terminology

* Clarify organizationIdentifier contents

As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html

* Apply further suggestions from Corey

Correct Subscriber -> Applicant in additional places

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Spelling, formatting, punctuation improvements (#31)

* Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used
* MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4)
* More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*')
* More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage)
* Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*)
* Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.)

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>

Co-authored-by: sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
@sleevi sleevi closed this as completed Sep 25, 2020
dzacharo added a commit that referenced this issue Oct 16, 2020
@dzacharo @sleevi
@CBonnell @clintwilson
SC35: Cleanups and Clarifications (#208) (#223)
dee8ae8 
* Cleanup typos and issues from SC17

Closes #152

* Fix an incorrect reference from 3.2.5 to 3.2.2.5

Closes #155

* Fix typo: compliancy -> compliance

Closes #159

* Cleanup old effective date for CP/CPSes

Closes #161

* Update effective date for 3.2.2.4.6

Closes #163

* Move weak key lookups into 24-hour revocation

Closes #164

* Align Section 6.1.1.3 with 4.9.1.1

Closes #171

* Replace RFC 6844 with RFC 8659

Closes #168

* Clarify that revocation is permitted if required by CP/CPS/BRs

Closes #172

* Correct links to US gov't denial lists

Closes #76

* Add a definition for CA Key Pair

#127

* Clarify CA Key Pair generation (#23)

Close #184

* Attempt to clarify policy OIDs (#21)

Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates

* Fixup formatting issues in the PDF

* Fix issues spotted by Corey

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Cleanup EVG terminology

* Clarify organizationIdentifier contents

As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html

* Apply further suggestions from Corey

Correct Subscriber -> Applicant in additional places

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Spelling, formatting, punctuation improvements (#31)

* Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used
* MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4)
* More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*')
* More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage)
* Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*)
* Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.)

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>

Co-authored-by: sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
wthayer pushed a commit that referenced this issue Oct 19, 2020
@dzacharo @sleevi
@CBonnell @clintwilson
SC35+SC28 (#224)
23c3cc6 
* Ballot SC28v6: Logging and Log Retention (#222)

Add SC28

* SC35: Cleanups and Clarifications (#208) (#223)

* Cleanup typos and issues from SC17

Closes #152

* Fix an incorrect reference from 3.2.5 to 3.2.2.5

Closes #155

* Fix typo: compliancy -> compliance

Closes #159

* Cleanup old effective date for CP/CPSes

Closes #161

* Update effective date for 3.2.2.4.6

Closes #163

* Move weak key lookups into 24-hour revocation

Closes #164

* Align Section 6.1.1.3 with 4.9.1.1

Closes #171

* Replace RFC 6844 with RFC 8659

Closes #168

* Clarify that revocation is permitted if required by CP/CPS/BRs

Closes #172

* Correct links to US gov't denial lists

Closes #76

* Add a definition for CA Key Pair

#127

* Clarify CA Key Pair generation (#23)

Close #184

* Attempt to clarify policy OIDs (#21)

Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates

* Fixup formatting issues in the PDF

* Fix issues spotted by Corey

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Cleanup EVG terminology

* Clarify organizationIdentifier contents

As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html

* Apply further suggestions from Corey

Correct Subscriber -> Applicant in additional places

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Spelling, formatting, punctuation improvements (#31)

* Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used
* MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4)
* More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*')
* More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage)
* Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*)
* Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.)

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>

Co-authored-by: sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>

* Update version numbers and cover pages.

* Update effective date to 2020-10-19.

* Update version for the cover page

Co-authored-by: sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
baseline-requirements Server Certificate CWG - Baseline Requirements enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sleevi