-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCXX - Certificate Profiles #373
Commits on Jul 13, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 4b56725 - Browse repository at this point
Copy the full SHA 4b56725View commit details -
Clarify AIA based on 2021-06-12 call
AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod.
Configuration menu - View commit details
-
Copy full SHA for 03a388e - Browse repository at this point
Copy the full SHA 03a388eView commit details -
Address basicConstraints for OCSP Responder feedback
Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate.
Configuration menu - View commit details
-
Copy full SHA for f7e22bb - Browse repository at this point
Copy the full SHA f7e22bbView commit details -
As captured on https://archive.cabforum.org/pipermail/validation/2021-July/001675.html provide better guidance for the encoding of cRLDistributionPoints and the permitted protocols.
Configuration menu - View commit details
-
Copy full SHA for f22537f - Browse repository at this point
Copy the full SHA f22537fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1d5ee9c - Browse repository at this point
Copy the full SHA 1d5ee9cView commit details -
Non-TLS CAs MUST NOT include id-kp-OCSPSigning, since this would potentially make them OCSP signers for the issuing CA. Similarly, with respect to non-TLS CAs, it's fine (and useful!) to use other EKUs, so this is a MAY (or possibly SHOULD), not a SHOULD NOT.
Configuration menu - View commit details
-
Copy full SHA for 1fd2d67 - Browse repository at this point
Copy the full SHA 1fd2d67View commit details -
Configuration menu - View commit details
-
Copy full SHA for 25fd686 - Browse repository at this point
Copy the full SHA 25fd686View commit details -
Introduce Precertificate Signing CA Profile
A Precertificate Signing CA, ontologically, a type of Technically Constrained Non-TLS Sub-CA, by virtue of the Extended Key Usage. To avoid ambiguity, this introduces a profile specific for Precert Signing CAs that make it clear that the Precert Signing EKU MUST be the only EKU present, to avoid a situation similar to that seen with OCSP responders. RFC 6962 is somewhat fast and loose with respect to whether or not "CA:true" is required in the profile for these, but in practice, implementations of logs, and existing CAs, do expect CA:true. Although not meant to be a normative change from the existing practices and consequences of existing requirements, it does make explicit that such CAs MUST only sign Precertificates; although this is less critical given the EKU constraint (to being a singular EKU), it represents a defense in depth approach consistent with existing practice.
Configuration menu - View commit details
-
Copy full SHA for a2a7f75 - Browse repository at this point
Copy the full SHA a2a7f75View commit details -
Align postalCode/streetAddress hierarchy
As pointed out by DigiCert, postal code represents a greater enclosing area than the street address, and thus hierarchically should appear first.
Configuration menu - View commit details
-
Copy full SHA for 51811aa - Browse repository at this point
Copy the full SHA 51811aaView commit details -
Fix nameConstraints for TLS subCAs
They were accidentally a MUST, when they should have been a MAY. Bad copy/paste.
Configuration menu - View commit details
-
Copy full SHA for b7a269b - Browse repository at this point
Copy the full SHA b7a269bView commit details -
Bump OCSP placeholder dates for cert policies
Move the effective date to 6 months from now; will likely continue to move as we finalize things, but offers a placeholder to handling effective dates.
Configuration menu - View commit details
-
Copy full SHA for a85067a - Browse repository at this point
Copy the full SHA a85067aView commit details -
Make cRLDP MUST NOT for OCSP Responders
As pointed out by Corey, an id-pkix-ocsp-nocheck should be expected to disable all revocation checking (not just recursive OCSP revocation checking), so it makes sense to MUST NOT the cRLDP for the OCSP Responder, since we MUST nocheck.
Configuration menu - View commit details
-
Copy full SHA for 941af64 - Browse repository at this point
Copy the full SHA 941af64View commit details -
Configuration menu - View commit details
-
Copy full SHA for e62f560 - Browse repository at this point
Copy the full SHA e62f560View commit details -
Precertificates and Precertificate Signing CAs
This introduces the notion of Precertificates and Precertificate Signing CAs as part of the Profiles, and captures the existing requirements from RFC 6962. It defines a Precertificate as based on a transformation of an existing Certificate conforming to one of the profiles, as opposed to attempting to define variants for every version or how to construct a Precertificate for a given profile. This attempts to similarly capture that, for purposes of compliance, a Precertificate is treated as if there is an equivalent Certificate, by reflecting that Precertificates need to match a Certificate based on the transformations defined, and that the Certificates need to match the profiles defined.
Configuration menu - View commit details
-
Copy full SHA for fd362d7 - Browse repository at this point
Copy the full SHA fd362d7View commit details -
This attempts to clarify when/how backdating is allowed, particularly since it may affect path building. It gives a generous period for CA backdating when the distinguishedName remains the same, but may be imperfect if the keys are changing.
Configuration menu - View commit details
-
Copy full SHA for cb28681 - Browse repository at this point
Copy the full SHA cb28681View commit details -
Address the "any other value" situations with 7.1.2.4 language
This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted.
Configuration menu - View commit details
-
Copy full SHA for 57552a7 - Browse repository at this point
Copy the full SHA 57552a7View commit details -
Configuration menu - View commit details
-
Copy full SHA for a2af324 - Browse repository at this point
Copy the full SHA a2af324View commit details -
Configuration menu - View commit details
-
Copy full SHA for ad4f121 - Browse repository at this point
Copy the full SHA ad4f121View commit details -
Change SHOULD NOT to NOT RECOMMENDED
While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion.
Configuration menu - View commit details
-
Copy full SHA for 24b3d5d - Browse repository at this point
Copy the full SHA 24b3d5dView commit details -
Clarify subject name rules & add effective date
This restructures the naming rules to try to clarify: - That technically constrained non-TLS sub-CAs are in-scope, but the certificates they issue are not - That the rules about byte-for-byte apply for all certificates in scope - That the requirements for the ordering and sequencing of names is a forward-dated requirement. Although it can be argued that some of these are existing requirements, avoid any messiness by structuring it holistically. - Adds a note to 7.1.4 to call out that 7.1.2.2.1 provides an exception - State the exception in 7.1.2.2.1 both normatively and informatively, to try and avoid misinterpretation. This was based on Corey's feedback in https://github.com/sleevi/cabforum-docs/pull/36/files#r689880007
Configuration menu - View commit details
-
Copy full SHA for ebf167a - Browse repository at this point
Copy the full SHA ebf167aView commit details -
Remove dnsSRV and cleanup otherName handling
This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id)
Configuration menu - View commit details
-
Copy full SHA for cb1eff3 - Browse repository at this point
Copy the full SHA cb1eff3View commit details -
Configuration menu - View commit details
-
Copy full SHA for e8eb511 - Browse repository at this point
Copy the full SHA e8eb511View commit details -
Move the Non-TLS EKU requirement into the Non-TLS profile
Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections.
Configuration menu - View commit details
-
Copy full SHA for 69d6ee3 - Browse repository at this point
Copy the full SHA 69d6ee3View commit details -
Redo Certificate Policies for Non-TLS CAs
The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change.
Configuration menu - View commit details
-
Copy full SHA for 0543366 - Browse repository at this point
Copy the full SHA 0543366View commit details -
Make PolicyIdentifier ordering optional
This makes the requirement for the Reserved Policy Identifier to be the first policyIdentifier optional, while explaining with a note the basis for that logic. To avoid confusion, it makes it clear that only one instance of a Reserved Policy Identifier may be present (e.g. can't be simultaneously OV and EV)
Configuration menu - View commit details
-
Copy full SHA for 1474616 - Browse repository at this point
Copy the full SHA 1474616View commit details -
Indicate a max for serial numbers
This incorporates Corey's sleevi@04c55a4
Configuration menu - View commit details
-
Copy full SHA for ed5f01c - Browse repository at this point
Copy the full SHA ed5f01cView commit details -
Try to address the SKI uniqueness
The approach to SKI uniqueness was flagged as ambigous, and two options were presented: - Option 1, mandate the SKI generation algorithm - Option 2, clarify that it's only unique "for the CA" Option 2 still has security risks with respect to denial of service, but CAs were unsure about when Option 1 would b eimplementable (e.g. if mandating SHA-2, CA software that uses SHA-1 would need to be updated). For now, this goes with Option 2, although a mandatory algorithm would resolve the issues wholesale. This is adapted from Corey Bonnell's sleevi@41cb306
Configuration menu - View commit details
-
Copy full SHA for 9a6a656 - Browse repository at this point
Copy the full SHA 9a6a656View commit details -
Allow backdating up to 48 hours
This adopts a 48 hour window, as proposed in sleevi@816ad7a
Configuration menu - View commit details
-
Copy full SHA for 04cadf2 - Browse repository at this point
Copy the full SHA 04cadf2View commit details -
This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2.
Configuration menu - View commit details
-
Copy full SHA for 099122b - Browse repository at this point
Copy the full SHA 099122bView commit details -
Harmonize effective dates to 2022-11-01
This only affects the certificatePolicies for OCSP Responders and the naming rules (for all certificates), but shifts to a harmonized date.
Configuration menu - View commit details
-
Copy full SHA for ab5fedc - Browse repository at this point
Copy the full SHA ab5fedcView commit details -
Formatting & Section Heading fixes
This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text.
Configuration menu - View commit details
-
Copy full SHA for f51e839 - Browse repository at this point
Copy the full SHA f51e839View commit details -
Fixup the OU field
Configuration menu - View commit details
-
Copy full SHA for 89541fa - Browse repository at this point
Copy the full SHA 89541faView commit details -
Configuration menu - View commit details
-
Copy full SHA for c46d7c8 - Browse repository at this point
Copy the full SHA c46d7c8View commit details -
Fix a bug in non-TLS technically constrained CAs
For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant.
Configuration menu - View commit details
-
Copy full SHA for ca45753 - Browse repository at this point
Copy the full SHA ca45753View commit details -
In order for the precertificate signing CA to be considered technically constrained, restrict its EKU to only permitting it to issue precertificates. Additionally, add a cross-reference and tweak a MAY to a may, as the paragraph that follows the MAY contains the actual normative requirement, and this is just an informative explainer.
Configuration menu - View commit details
-
Copy full SHA for 12b2875 - Browse repository at this point
Copy the full SHA 12b2875View commit details -
Remove rfc822Name from TLS technically constrained CAs
rfc822Name is allowed, and described, in 7.1.2.10.9, as its a translation of the requirements of 3.2.2.4/3.2.2.5/7.1.2.4 of the existing BRs, and there are some CA profiles that allow non-TLS EKUs to be present (for ex, cross-certification). For technically constrained TLS sub-CAs, it was originally present because of Mozilla Root Store Policy, Section 1.1, which requires out-of-scope CAs to constrain on that name type. However, since a TCSC TLS CA MUST NOT include EKUs other than serverAuth & clientAuth, it was seen as unnecessary to even allow rfc822Name.
Configuration menu - View commit details
-
Copy full SHA for f288195 - Browse repository at this point
Copy the full SHA f288195View commit details -
This clarifies the language around precerts by: * harmonizing on 'corresponding Certificate' instead of 'equivalent Certificate' * changing 'byte-for-byte equivalent' to 'byte-for-byte identical' to avoid any ambiguity * Rewording the AKI section when using a Precert Signing CA, to avoid stating the same requirement several ways that might be read as giving conflicting or different guidance, and RECOMMENDING/SHOULD harmonizing on the AKI containing the Precert Signing CA's SKI, as the Log is expected to transform and substitute (and all observed logs appear to do so).
Configuration menu - View commit details
-
Copy full SHA for f616d86 - Browse repository at this point
Copy the full SHA f616d86View commit details -
This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented").
Configuration menu - View commit details
-
Copy full SHA for 5ad28de - Browse repository at this point
Copy the full SHA 5ad28deView commit details
Commits on Aug 16, 2022
-
Changes to Key Usage values for Subscriber Certificates (#376)
Changing dataEncipherment for RSA and KeyAgreement for ECC to not recommended.
Configuration menu - View commit details
-
Copy full SHA for e7b2fbf - Browse repository at this point
Copy the full SHA e7b2fbfView commit details
Commits on Sep 14, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 15711d8 - Browse repository at this point
Copy the full SHA 15711d8View commit details -
Add single all-encompassing effective date (#381)
* Add single all-encompassing effective date * Integrate discussion from 2022-08-25 VSC call Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Configuration menu - View commit details
-
Copy full SHA for 18a98c3 - Browse repository at this point
Copy the full SHA 18a98c3View commit details
Commits on Oct 5, 2022
-
Add specification for EV attributes (#391)
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Configuration menu - View commit details
-
Copy full SHA for 8999394 - Browse repository at this point
Copy the full SHA 8999394View commit details
Commits on Oct 6, 2022
-
Update to allow multiple instances of subject attributes (#392)
* Update to allow multiple instances of subject attributes To allow for multiple instances of the domainContact attributes until we can address at an upcoming ballot. * Specific exceptions for attributes with multiple instances Allow multiple instances of the same attribute for `streetAddress` and `domainComponent`. For the latter, language from [ballot 102](https://cabforum.org/2013/05/31/ballot-102-br-9-2-3-domaincomponent/) was used. * Correct IV streetAddress multiple instances For consistency allow multiple instances for the `streetAddress` attribute in IV Certificates. * Update docs/BR.md Improved language for the domainComponent Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Configuration menu - View commit details
-
Copy full SHA for 3370f7b - Browse repository at this point
Copy the full SHA 3370f7bView commit details
Commits on Oct 26, 2022
-
Add order and encoding requirement for DC attribute (#395)
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Configuration menu - View commit details
-
Copy full SHA for 948dda6 - Browse repository at this point
Copy the full SHA 948dda6View commit details
Commits on Nov 3, 2022
-
Clarify OUs in CA Certificates (#398)
* Clarify that OUs are not allowed for CA Certificates described in section 7.1.2.3 per conversation in https://lists.cabforum.org/pipermail/validation/2022-October/001812.html. Added an effective date of 2022-12-12 which can be updated as needed. * Fix typo with quotes * Update based on F2F 57 - Removal of OU validation rules prior to 2022-12-12 because it includes non-TLS Issuing CAs - Clarification that the "MUST NOT" for OUs after 2022-12-12 also applies to Root CA Certificates and TLS Subordinate CA Certificates * fix effective date * Fix references and adding the two types of TLS CAs * Improve language around OUs in CA Certificates Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Capitalize "CA certificates" for consistency * Fix typo Fix typo based on #398 (comment) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Configuration menu - View commit details
-
Copy full SHA for 50cee81 - Browse repository at this point
Copy the full SHA 50cee81View commit details
Commits on Nov 14, 2022
-
Minor fixes and cleanups (#399)
* Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Configuration menu - View commit details
-
Copy full SHA for 253bc26 - Browse repository at this point
Copy the full SHA 253bc26View commit details
Commits on Dec 1, 2022
-
Integrate newer ballots (#406)
* Update README (#294) Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update version and date table Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version, table, and date Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) # Voting Results The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— # Commit History * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-54: Onion cleanup (#348) # Voting Results The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— # Commit History * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Integrate SC-48 CN requirements Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for eca3d08 - Browse repository at this point
Copy the full SHA eca3d08View commit details
Commits on Jan 12, 2023
-
Integrate SC-56 and SC-58 (#409)
* Update README (#294) Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update version and date table Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version, table, and date Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) # Voting Results The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— # Commit History * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-54: Onion cleanup (#348) # Voting Results The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— # Commit History * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC-56: 2022 Cleanup (#401) * SC-56: 2022 Cleanup (#385) Ballot has passed; moving to SC56 branch for IPR * #340 * #339 * #333 * #318 * #315 * #312 * #309 * #275 * #344 * #345 * #378 * #380 * #287 * #300 * #259 * #284 * #277 * #311 * #310 * Remove historical effective dates * #196 * #251 * #212 * #386 * Grammatical improvement suggested by Wendy Brown * Remove text for retired methods * Switch to new tables tooling * Fix broken section references * Bump upload-artifact version * Linkify US denied persons/entities list URLs Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update effective dates and tables Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-58: Require distributionPoint in sharded CRLs (#396) (#403) * SC-58: Require distributionPoint in sharded CRLs (#396) * SC-XX: Require distributionPoint in sharded CRLs The language in RFC 5280 regarding the interaction between the distributionPoint field of the Issuing Distribution Point CRL extension and the existence of sharded CRLs has led to significant debate on interpretation, and appears to contradict X.509. To protect against replacement attacks, make it explicitly clear that the Issuing Distribution Point extension and distributionPoint field are required for sharded or partitioned CRLs. * Remind readers that the IDP must be critical * Change effective date to Jan 15 * Change effective date in Section 1.2 table, too * Update BR.md Co-authored-by: Aaron Gable <aaron@letsencrypt.org> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
Configuration menu - View commit details
-
Copy full SHA for 070bef1 - Browse repository at this point
Copy the full SHA 070bef1View commit details
Commits on Jan 26, 2023
-
Configuration menu - View commit details
-
Copy full SHA for e366471 - Browse repository at this point
Copy the full SHA e366471View commit details -
Profiles extended effective date (#413)
* Update BR.md * Update BR.md
Configuration menu - View commit details
-
Copy full SHA for 4be388a - Browse repository at this point
Copy the full SHA 4be388aView commit details -
Add policyQualifiers Note (#412)
* Add policyQualifiers Note Added explanation of rationale for NOT RECOMMENDED to section 7.1.2.10.5 * Update docs/BR.md Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Configuration menu - View commit details
-
Copy full SHA for 0689ba5 - Browse repository at this point
Copy the full SHA 0689ba5View commit details
Commits on Feb 17, 2023
-
SC-062 Profiles: Address various editorial and content nits (#418)
* Use unicode figure space for table indentation * Use unicode superscript for exponentiation * Fix surname_givenname footnote link * Use approx instead of e.g. for approximate years * Include profile name in subsection titles * Reduce table duplication in 7.1.2.2.3 * Explain criticality of Subscriber SAN in-line * Unify language in 7.1.2.7.12 * Unify language around NULL extension values * Simplify CRL Distribution Point tables * Cross-Certification establishes trust between any two CAs * Fix AuthorityInfoAccessSyntax name * More flexible Certificate Policy OID definitions * Close two precertificates with same serial loophole * fix basicConstraints empty value Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Fix upper bound for organizational-unit-name [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#:~:text=ub%2Dorganizational%2Dunit%2Dname%20INTEGER%20%3A%3A%3D%2064) defines 64 characters as the upper bound for ub-organizational-unit-name. * Fix typo: "committment" --> "commitment" (#2) * Clarify Cross-Certificate EKU Requirements (#3) --------- Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for aa9fc5d - Browse repository at this point
Copy the full SHA aa9fc5dView commit details
Commits on Mar 22, 2023
-
Configuration menu - View commit details
-
Copy full SHA for edf6a1c - Browse repository at this point
Copy the full SHA edf6a1cView commit details
Commits on Mar 30, 2023
-
* Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md
Configuration menu - View commit details
-
Copy full SHA for 83711e9 - Browse repository at this point
Copy the full SHA 83711e9View commit details
Commits on Apr 14, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 92abb91 - Browse repository at this point
Copy the full SHA 92abb91View commit details
Commits on Apr 24, 2023
-
Configuration menu - View commit details
-
Copy full SHA for ec4f074 - Browse repository at this point
Copy the full SHA ec4f074View commit details