New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates #414
Conversation
Address Comments: - cabforum#402 (comment) (added "CRL") - cabforum#414 (comment) (as suggested)
Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to cabforum#414 (comment))
AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod.
Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate.
This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted.
While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion.
This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id)
Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections.
The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change.
This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2.
This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text.
For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant.
This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented").
* Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
…judication Make ocsp optional round 2 adjudication
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Looking at this with fresh post-vacation eyes caught one more phrasing thing, and then I finally allowed myself to comment on the formatting nits that don't affect the meaning of the ballot.
docs/BR.md
Outdated
- seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or | ||
- four (4) days in all other cases; | ||
2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked; and | ||
3. MUST include a `nextUpdate` field value that is no more than ten (10) days beyond the value of the `thisUpdate` field. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's fine to have this bullet point here (since it's historically been here), but I think it could also just be omitted because it's repeated in the table in Section 7.2.
The same applies for CAs issuing CA Certificates below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I appreciate that perspective.
I originally kept the language in 4.9.7 for consistency with the existing location in the BRs. However, now that this requirement is addressed in the CRL profile, the redundancy may create more headache than it's worth (i.e., if the nextUpdate period were to change in the future, we'd need to address it in two sections).
Addressed in: ryancdickson@9615372
docs/BR.md
Outdated
1. MUST update and publish a new CRL within at least: | ||
- seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or | ||
- four (4) days in all other cases; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still find this phrasing slightly confusing. Simplifying the sentence, it says "CAs MUST update and publish a new CRL within at least seven/four days." Within seven/four days of what? We know that it means "within seven/four days of publishing the previous version of the CRL", but it doesn't actually say that. The previous text said "once every seven days". Maybe we could borrow that language:
1. MUST update and publish a new CRL within at least: | |
- seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or | |
- four (4) days in all other cases; | |
1. MUST update and publish a new CRL: | |
- every seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or | |
- every four (4) days in all other cases; |
The same applies for CAs issuing CA Certificates below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we don't use "at least every X days" then if a CA decides to publish a new CRL sooner it would violate the requirement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah good catch, then I'm in favor of replacing "within at least" with "at least every".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aarongable and @dzacharo - any issues with this proposed update?
The CRL Distribution Points extension MUST NOT be present in: | ||
- OCSP Responder Certificates. | ||
|
||
When present, the CRL Distribution Points extension MUST contain at least one `DistributionPoint`; containing more than one is NOT RECOMMENDED. All `DistributionPoint` items must be formatted as follows: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When present, the CRL Distribution Points extension MUST contain at least one `DistributionPoint`; containing more than one is NOT RECOMMENDED. All `DistributionPoint` items must be formatted as follows: | |
When present, the CRL Distribution Points extension MUST contain at least one `DistributionPoint`; containing more than one is NOT RECOMMENDED. All `DistributionPoint` items MUST be formatted as follows: |
maybe? I'm not sure why this "must" wasn't capitalized previously.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was a typo on my part dating back to the early versions of the proposal.
docs/BR.md
Outdated
@@ -2748,7 +2768,7 @@ The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with t | |||
|
|||
| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ | | |||
| -- | -- | ---- | - | - | --- | | |||
| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | SHOULD | \* | A HTTP URL of the Issuing CA's OCSP responder. | | |||
| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: column alignment
| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. | | |
| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in ryancdickson@bbf5155.
docs/BR.md
Outdated
| __Field__ | __Presence__ | __Description__ | | ||
| --- | ------ | ------ | | ||
| `tbsCertList` | | | | ||
| `version` | MUST | MUST be v2(1), see [Section 7.2.1](#721-version-numbers) | | ||
| `signature` | MUST | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) | | ||
| `issuer` | MUST | MUST be byte-for-byte identical to the `subject` field of the Issuing CA. | | ||
| `thisUpdate` | MUST | Indicates the issue date of the CRL. | | ||
| `nextUpdate` | MUST | Indicates the date by which the next CRL will be issued. For CRLs covering Subscriber Certificates, at most 10 days after the `thisUpdate`. For other CRLs, at most 12 months after the `thisUpdate`. | | ||
| `revokedCertificates` | * | MUST be present if the CA has issued a certificate that has been revoked and the corresponding entry has yet to appear on at least one regularly scheduled CRL beyond the revoked certificate's validity period. The CA SHOULD remove an entry for a corresponding certificate after it has appeared on at least one regularly scheduled CRL beyond the revoked certificate's validity period. See the "revokedCertificates Component" table for additional requirements. | | ||
| `extensions` | MUST | See the "CRL Extensions" table for additional requirements. | | ||
| `signatureAlgorithm` | MUST | Encoded value MUST be byte-for-byte identical to the `tbsCertList.signature`. | | ||
| `signature` | MUST | - | | ||
| Any other value | NOT RECOMMENDED | - | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: column alignment
| __Field__ | __Presence__ | __Description__ | | |
| --- | ------ | ------ | | |
| `tbsCertList` | | | | |
| `version` | MUST | MUST be v2(1), see [Section 7.2.1](#721-version-numbers) | | |
| `signature` | MUST | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) | | |
| `issuer` | MUST | MUST be byte-for-byte identical to the `subject` field of the Issuing CA. | | |
| `thisUpdate` | MUST | Indicates the issue date of the CRL. | | |
| `nextUpdate` | MUST | Indicates the date by which the next CRL will be issued. For CRLs covering Subscriber Certificates, at most 10 days after the `thisUpdate`. For other CRLs, at most 12 months after the `thisUpdate`. | | |
| `revokedCertificates` | * | MUST be present if the CA has issued a certificate that has been revoked and the corresponding entry has yet to appear on at least one regularly scheduled CRL beyond the revoked certificate's validity period. The CA SHOULD remove an entry for a corresponding certificate after it has appeared on at least one regularly scheduled CRL beyond the revoked certificate's validity period. See the "revokedCertificates Component" table for additional requirements. | | |
| `extensions` | MUST | See the "CRL Extensions" table for additional requirements. | | |
| `signatureAlgorithm` | MUST | Encoded value MUST be byte-for-byte identical to the `tbsCertList.signature`. | | |
| `signature` | MUST | - | | |
| Any other value | NOT RECOMMENDED | - | | |
| __Field__ | __Presence__ | __Description__ | | |
| --- | ------ | ------ | | |
| `tbsCertList` | | | | |
| `version` | MUST | MUST be v2(1), see [Section 7.2.1](#721-version-numbers) | | |
| `signature` | MUST | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) | | |
| `issuer` | MUST | MUST be byte-for-byte identical to the `subject` field of the Issuing CA. | | |
| `thisUpdate` | MUST | Indicates the issue date of the CRL. | | |
| `nextUpdate` | MUST | Indicates the date by which the next CRL will be issued. For CRLs covering Subscriber Certificates, at most 10 days after the `thisUpdate`. For other CRLs, at most 12 months after the `thisUpdate`. | | |
| `revokedCertificates` | * | MUST be present if the CA has issued a certificate that has been revoked and the corresponding entry has yet to appear on at least one regularly scheduled CRL beyond the revoked certificate's validity period. The CA SHOULD remove an entry for a corresponding certificate after it has appeared on at least one regularly scheduled CRL beyond the revoked certificate's validity period. See the "revokedCertificates Component" table for additional requirements. | | |
| `extensions` | MUST | See the "CRL Extensions" table for additional requirements. | | |
| `signatureAlgorithm` | MUST | Encoded value MUST be byte-for-byte identical to the `tbsCertList.signature`. | | |
| `signature` | MUST | - | | |
| Any other value | NOT RECOMMENDED | - | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in ryancdickson@bbf5155.
docs/BR.md
Outdated
| __Extension__ | __Presence__ | __Critical__ | __Description__ | | ||
| ---- | - | - | ----- | | ||
| `authorityKeyIdentifier` | MUST | N | See [Section 7.1.2.11.1](#712111-authority-key-identifier) | | ||
| `CRLNumber` | MUST | N | MUST contain an INTEGER greater than or equal to zero (0) and less than 2¹⁵⁹, and convey a strictly increasing sequence. | | ||
| `IssuingDistributionPoint` | * | Y | See [Section 7.2.2.1 CRL Issuing Distribution Point](#7221-crl-issuing-distribution-point) | | ||
| Any other extension | NOT RECOMMENDED | - | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: column alignment
| __Extension__ | __Presence__ | __Critical__ | __Description__ | | |
| ---- | - | - | ----- | | |
| `authorityKeyIdentifier` | MUST | N | See [Section 7.1.2.11.1](#712111-authority-key-identifier) | | |
| `CRLNumber` | MUST | N | MUST contain an INTEGER greater than or equal to zero (0) and less than 2¹⁵⁹, and convey a strictly increasing sequence. | | |
| `IssuingDistributionPoint` | * | Y | See [Section 7.2.2.1 CRL Issuing Distribution Point](#7221-crl-issuing-distribution-point) | | |
| Any other extension | NOT RECOMMENDED | - | | | |
| __Extension__ | __Presence__ | __Critical__ | __Description__ | | |
| ---- | - | - | ----- | | |
| `authorityKeyIdentifier` | MUST | N | See [Section 7.1.2.11.1](#712111-authority-key-identifier) | | |
| `CRLNumber` | MUST | N | MUST contain an INTEGER greater than or equal to zero (0) and less than 2¹⁵⁹, and convey a strictly increasing sequence. | | |
| `IssuingDistributionPoint` | * | Y | See [Section 7.2.2.1 CRL Issuing Distribution Point](#7221-crl-issuing-distribution-point) | | |
| Any other extension | NOT RECOMMENDED | - | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in ryancdickson@b2df5dc.
When a CA obtains verifiable evidence of Key Compromise for a Certificate whose CRL entry does not contain a reasonCode extension or has a reasonCode extension with a non-keyCompromise reason, the CA SHOULD update the CRL entry to enter keyCompromise as the CRLReason in the reasonCode extension. Additionally, the CA SHOULD update the revocation date in a CRL entry when it is determined that the private key of the certificate was compromised prior to the revocation date that is indicated in the CRL entry for that certificate. | ||
When a CA obtains verifiable evidence of Key Compromise for a Certificate whose CRL entry does not contain a reasonCode extension or has a reasonCode extension with a non-keyCompromise reason, the CA SHOULD update the CRL entry to enter keyCompromise as the CRLReason in the reasonCode extension. | ||
|
||
#### 7.2.2.1 CRL Issuing Distribution Point |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: empty line after header
#### 7.2.2.1 CRL Issuing Distribution Point | |
#### 7.2.2.1 CRL Issuing Distribution Point | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in ryancdickson@bbf5155.
docs/BR.md
Outdated
| __Component__ | __Presence__ | __Description__ | | ||
| ---- | - | ----- | | ||
| `serialNumber` | MUST | MUST be byte-for-byte identical to the serialNumber contained in the revoked certificate. | | ||
| `revocationDate` | MUST | Normally, the date and time revocation occurred. See the footnote following this table for circumstances where backdating is permitted. | | ||
| `crlEntryExtensions` | * | See the "crlEntryExtensions Component" table for additional requirements. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: column width
| __Component__ | __Presence__ | __Description__ | | |
| ---- | - | ----- | | |
| `serialNumber` | MUST | MUST be byte-for-byte identical to the serialNumber contained in the revoked certificate. | | |
| `revocationDate` | MUST | Normally, the date and time revocation occurred. See the footnote following this table for circumstances where backdating is permitted. | | |
| `crlEntryExtensions` | * | See the "crlEntryExtensions Component" table for additional requirements. | | |
| __Component__ | __Presence__ | __Description__ | | |
| ---- | - | ----- | | |
| `serialNumber` | MUST | MUST be byte-for-byte identical to the serialNumber contained in the revoked certificate. | | |
| `revocationDate` | MUST | Normally, the date and time revocation occurred. See the footnote following this table for circumstances where backdating is permitted. | | |
| `crlEntryExtensions` | * | See the "crlEntryExtensions Component" table for additional requirements. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in ryancdickson@bbf5155.
|
||
#### 7.2.2.1 CRL Issuing Distribution Point | ||
Partitioned CRLs MUST include at least one of the names from the corresponding distributionPoint field of the cRLDistributionPoints extension of every certificate that is within the scope of this CRL. The encoded value MUST be byte-for-byte identical to the encoding used in the distributionPoint field of the certificate. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about CAs that shard CRLs but do not include the cRLDP in the certs? I don't think the intent is to prohibit that but this language seems to have that effect? Can we add something like 'or at least one of the URLs published in CCADB'? Also, in either case is there a chicken/egg problem here if CRLs are issued before certs or before CCADB is updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My interpretation of: "Partitioned CRLs MUST include at least one of the names from the corresponding distributionPoint field of the cRLDistributionPoints extension of every certificate that is within the scope of this CRL. The encoded value MUST be byte-for-byte identical to the encoding used in the distributionPoint field of the certificate."
- If certificates DO contain a distributionPoint field and that name points to a partitioned CRL, that same name must appear in a corresponding CRL (in the Issuing Distribution Point extension).
- If certificates DO NOT contain a distributionPoint field (because there is no cRLDistributionPoints extension), neither statement applies. Regardless, if a CA issues partitioned CRLs, they are obligated to ensure that when those partitioned CRLs are aggregated, they represent the equivalent of a full and complete CRL.
7.1.2.11.2 (“CRL Distribution Points”) indicates that CRLDP is required for certificates that 1) do not qualify as "Short-lived Subscriber Certificates" and 2) do not include an Authority Information Access extension with an id-ad-ocsp accessMethod. This helps clarify the expectation that certificates can exist without CRLDP.
Can we add something like 'or at least one of the URLs published in CCADB'?
---> the concept of the CCADB is not known to the BRs. I sense this might be by design, as not all CAs who wish to conform with the BRs might have access to the CCADB, or a desire to disclose information publicly to the CCADB.
Also, in either case is there a chicken/egg problem here if CRLs are issued before certs or before CCADB is updated?
---> I'm not sure I understand the problem. Can you share more?
BRs (as proposed):
- Within 24 hours after issuing its first certificate, the CA must generate and publish a CRL (full and complete or partitioned)
Apple/Mozilla program requirements extend this by requiring disclosure of those URLs to CCADB within 7 days:
- Apple: "Effective October 1, 2022, CA providers must populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" on Root and Intermediate Certificate records, within 7 days of the corresponding CA issuing its first certificate. This requirement applies to each included CA Certificate and each CA Certificate chaining up to an included CA Certificate in the Apple Root Program."
- Mozilla: "CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" within 7 days of such intermediate CA issuing its first certificate;"
As of a few weeks ago, there were at least 25 CRLs disclosed to CCADB that contained 0 revoked certificate entries. I’d have to look again to see if these CAs issued any certificates, but I’m not sure it matters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My fundamental concern is that someone could come along in the future and interpret this section as an implicit requirement to include the cRLDP extension in certs when a CA is issuing sharded CRLs. Perhaps an easy clarification that aligns with your interpretation of the language is to prepend "If certificates contain a distributionPoints field and that name points to a partitioned CRL,..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point. Re-phrased, with that concern in mind:
"If a Certificate contains a distributionPoint field that does not point to the URI of a full and complete CRL, the corresponding CRL MUST contain the issuingDistributionPoint extension (OID 2.5.29.28). The encoded value of the issuingDistributionPoint extension MUST be byte-for-byte identical to the encoding used in the distributionPoint field of the Certificate."
Any concerns with this approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @wthayer!
CC @aarongable and @CBonnell - as I believe during past discussions you both had opinions on the language re: IDP. Any concerns with the above change? Candidly, I'd like this next round of discussion to be the last, so the more opinions, the better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand the intent behind the change, but the concern I have with the proposed language is that other GeneralNames cannot be included in the IDP extension (as the value of the extension itself must be binary equal to the single distributionPoint).
I suggest:
Partitioned CRLs MUST contain an Issuing Distribution Point extension. The distributionPoint
field of the Issuing Distribution Point extension MUST be present. Additionally, the fullName
field of the DistributionPointName value MUST be present, and its value MUST conform to the following requirements:
- If a Certificate within the scope of the CRL contains a CRL Distribution Points extension, then at least one of the
uniformResourceIdentifier
s in the CRL Distribution Points'sfullName
field MUST be included in thefullName
field of the CRL's Issuing Distribution Point extension. The encoding of theuniformResourceIdentifier
value in the Issuing Distribution Point extension SHALL be octet-for-octet identical to the encoding used in the Certificate's CRL Distribution Points extension. - Other GeneralNames of type
uniformResourceIdentifier
MAY be included. - Non-
uniformResourceIdentifier
GeneralName types MUST NOT be included.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @CBonnell. I think that works and still addresses @wthayer's earlier concern.
Aside from one small change (using "byte-for-byte" in lieu of "octet-for-octet" --- to avoid introducing a new term), I believe I incorporated your feedback "as-is."
I made some other small tweaks to improve consistency in how extensions introduced in this update are represented.
docs/BR.md
Outdated
* **privilegeWithdrawn (RFC 5280 CRLReason #9):** Indicates that there has been a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber provided misleading information in their Certificate Request or has not upheld their material obligations under the Subscriber Agreement or Terms of Use. | ||
| __RFC 5280 reasonCode__ | __RFC 5280 reasonCode value__ | __Description__ | | ||
| --- | - | ------ | | ||
| unspecified | 0 | MUST be omitted if the CRL entry is for a Certificate not technically capable of causing issuance unless the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, but I had to read this language a few times to get comfortable with it. I think a statement like 'the unspecified reason is represented by the omission of a reasonCode.' would add clarity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in ryancdickson@530bc88
The "Description" column now reads: "Represented by the omission of a reasonCode. MUST be omitted if the CRL entry is for a Certificate not technically capable of causing issuance unless the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023."
@wthayer, does this work for you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…judication Make ocsp optional round 3 adjudication.
Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly.
Nits.
#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Integrate newer ballots (#406) * Update README (#294) Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update version and date table Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version, table, and date Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Integrate SC-48 CN requirements Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - #402 (comment) (added "CRL") - #414 (comment) (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to #414 (comment)) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com>
cabforum#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (cabforum#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (cabforum#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Integrate newer ballots (cabforum#406) * Update README (cabforum#294) Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Adjust the workflow file to build the actions (cabforum#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (cabforum#282) (cabforum#290) * SC47 Sunset subject:organizationalUnitName (cabforum#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC47 datefix (cabforum#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> * SC48 - Domain Name and IP Address Encoding (cabforum#285) (cabforum#302) * SC48 - Domain Name and IP Address Encoding (cabforum#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (cabforum#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC50 - Remove the requirements of 4.1.1 (cabforum#328) * SC50 - Remove the requirements of 4.1.1 (cabforum#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update version and date table Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC53: Sunset SHA-1 for OCSP signing (cabforum#330) (cabforum#338) * Sunset SHA-1 for OCSP signing (cabforum#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version, table, and date Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Bump actions/checkout from 2 to 3 (cabforum#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (cabforum#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (cabforum#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC54: Onion Cleanup (cabforum#369) * SC-54: Onion cleanup (cabforum#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses cabforum#240. Things are signed using private, not public keys. * Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-54: Onion cleanup (cabforum#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses cabforum#240. Things are signed using private, not public keys. * Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Integrate SC-48 CN requirements Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - cabforum#402 (comment) (added "CRL") - cabforum#414 (comment) (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to cabforum#414 (comment)) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com>
* Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Integrate newer ballots (#406) * Update README (#294) Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update version and date table Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version, table, and date Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Integrate SC-48 CN requirements Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - #402 (comment) (added "CRL") - #414 (comment) (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to #414 (comment)) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Fall 2023 clean up (#460) * Issue#169 Issue #169 - updated 3.2.2.5.6 and 3.2.2.5.7 - added RFC 8738 in References * Issue #174 Issue #174 - Updated title in section 3.2.2.4.10 - Updated section 3.2.2.4.18 * Issue #337 Issue #337 - Updated title of the document to include TLS Server And also: - updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name * Issue #423 Issue #423 Updated section 1.6.3 - removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada - removing version of the NetSec and changing the link to redirect to the NetSec documents * Issue #430 Issue #430 Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse" * Issue #444 Issue #444 Added empty section 7.1.5 * Issue #450 Issue #450 Updated including link to the 6.2.7 section * Issue #453 Issue #453 Updated section as indicated * PR #415 PR #415 Updated title * Update BR.md Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order * Update BR.md Updated version and changelog * Issue #461 Issue #461 Used 2 option for the update * Update docs/BR.md Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Add line breaks in 7.1.2.11.2 According to #462 * Revert the change of the NSSR version Put back the version 1.7 in the NetSec * Update BR.md --------- Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com>
* Add files via upload * EVG.md * Update EVG.md * Create EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Delete EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG to match section 6 of the RFC 3647.md Updated section 1.1 from scope to overview Added section 3.2.1 for the possesion of the private key Changed totally/created new section 3.2.2 to cover all section 11 Moved section 8.1 to section 8 and renamed the others to meet RFC3647 Added the self-audits (8.1.1) under section 8.1 Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647 * Update EVG updating links.md 2 links were updated regarding section 8 * Update EVG.md Another link updated from 3.2.14.1 to 3.2.2.14.1 * Update branch for BRs pointing to new sections of EVGs (#476) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Integrate newer ballots (#406) * Update README (#294) Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update version and date table Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version, table, and date Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Integrate SC-48 CN requirements Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - #402 (comment) (added "CRL") - #414 (comment) (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to #414 (comment)) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Fall 2023 clean up (#460) * Issue#169 Issue #169 - updated 3.2.2.5.6 and 3.2.2.5.7 - added RFC 8738 in References * Issue #174 Issue #174 - Updated title in section 3.2.2.4.10 - Updated section 3.2.2.4.18 * Issue #337 Issue #337 - Updated title of the document to include TLS Server And also: - updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name * Issue #423 Issue #423 Updated section 1.6.3 - removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada - removing version of the NetSec and changing the link to redirect to the NetSec documents * Issue #430 Issue #430 Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse" * Issue #444 Issue #444 Added empty section 7.1.5 * Issue #450 Issue #450 Updated including link to the 6.2.7 section * Issue #453 Issue #453 Updated section as indicated * PR #415 PR #415 Updated title * Update BR.md Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order * Update BR.md Updated version and changelog * Issue #461 Issue #461 Used 2 option for the update * Update docs/BR.md Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Add line breaks in 7.1.2.11.2 According to #462 * Revert the change of the NSSR version Put back the version 1.7 in the NetSec * Update BR.md --------- Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BRs with the new EVGs section numbers.md Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following: Section 3.2.2.4.7 EVG 11.14.3 to new 3.2.2.14.3 Section 7.1.2.7.5 EVG 9.2 to new 7.1.4.2 * Update EVG.md Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8 --------- Co-authored-by: Martijn Katerbarg <martijn.katerbarg@sectigo.com> Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com>
* SC65: Convert EVGs into RFC 3647 format v2 (#440) * Add files via upload * EVG.md * Update EVG.md * Create EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Delete EVG original * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG.md * Update EVG to match section 6 of the RFC 3647.md Updated section 1.1 from scope to overview Added section 3.2.1 for the possesion of the private key Changed totally/created new section 3.2.2 to cover all section 11 Moved section 8.1 to section 8 and renamed the others to meet RFC3647 Added the self-audits (8.1.1) under section 8.1 Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647 * Update EVG updating links.md 2 links were updated regarding section 8 * Update EVG.md Another link updated from 3.2.14.1 to 3.2.2.14.1 * Update branch for BRs pointing to new sections of EVGs (#476) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441) * Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414) * Profiles WIP * Clarify AIA based on 2021-06-12 call AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod. * Address basicConstraints for OCSP Responder feedback Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate. * Address the "any other value" situations with 7.1.2.4 language This adopts the language from 7.1.2.4 to the various extensibility points, by trying to explicitly clarify as appropriate as to what is permitted. * Fix the certificatePolicies mismatched highlighted by Corey * Change SHOULD NOT to NOT RECOMMENDED While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion. * Remove dnsSRV and cleanup otherName handling This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id) * Formatting fix * Move the Non-TLS EKU requirement into the Non-TLS profile Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections. * Redo Certificate Policies for Non-TLS CAs The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change. * Naming Cleanup This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2. * Formatting & Section Heading fixes This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text. * Fix a bug in non-TLS technically constrained CAs For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant. * Redo Certificate Policies This reworks the presentation and format of the certificatePolicies extensions, better aligning to the BRs, and hopefully providing sufficient clarity: Relaxations: - Reserved Policy OID is * no longer* required to be first, but is RECOMMENDED (SHOULD). - The separation of "Affiliated" and "Unaffiliated" for certificate policies is removed. This was introduced for Cross-Certified Sub-CAs, but resulted in some ambiguity about what happens when a Technically Constrained (non-TLS or nameConstraints) Sub-CA is operated by a non-Affiliated entity. The requirements around Affiliation are now folded into a common section, rather than being two sections. - Although not permitted by the current BRs, the cPSuri is now explicitly allowed for all certificate policies (_including_ for anyPolicy). - anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders - Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED) for OCSP Responders. Clarifications: - A note is added to the OCSP Responder section explaining that because CPs limit the validity and purposes of a certificate, it becomes possible to create an "invalid" responder that clients will reject (and thus also reject responses), and that this is part of the reason for forbidding. - For TLS certificates, the requirements for CPs for sub-CAs versus leaf certificates had a slightly different wording: whether a given CP needed to be documented by the CA (e.g. could be any policy, including a reserved CP or anyPolicy) or needed to be _defined_ and documented by the CA (i.e. must be from the CA's own OID arc). This harmonizes the language for TLS ("defined by"), while still leaving a fairly large carveout for non-TLS ("documented"). * Minor fixes and cleanups (#399) * Add order and encoding requirement for DC attribute * Remove overly specific Cross-cert requirement; fix serialNumber encoding * Clarify NC exclusion * Remove "Domain Name or IP Address" validation requirement for now Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Integrate newer ballots (#406) * Update README (#294) Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Adjust the workflow file to build the actions (#296) This addresses a few requests that recently came up from the certificate profiles work: - Remove the explicit retention period (of 21 days) to allow the GitHub default of 90 days. - Change the generated ZIP file from being "BR.md-hash" to being "BR-hash". - Allow manually invoking the workflow (via workflow_dispatch), in the event folks want to re-run for a particular branch (e.g. profiles) - Attempt to resolve the "non-deterministic redline" noted by Jos. When a given commit is on cabforum/servercert, it may be both a commit (to a branch) and part of a pull request (to main). We want the pull request redline to be against main, while the commit redline to be against the previous commit. Because both jobs run, and both upload the same file name, this results in a non-deterministic clobbering, where the commit-redline may clobber the pr-redline. This changes the generated zip file to be "file-hash-event_type", so that it will generate redlines for both PRs and commits and attach both. * SC47 Sunset subject:organizationalUnitName (#282) (#290) * SC47 Sunset subject:organizationalUnitName (#282) * Deprecation of subject:organizationalUnitName * Update language to avoid confusion on the effective date This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google. Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * SC47 datefix (#298) * Update dates table * Update EVG.md Add SC47 reference to relevant dates table * Fixup section number in prior commit Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> * SC48 - Domain Name and IP Address Encoding (#285) (#302) * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * SC48 - Domain Name and IP Address Encoding (#285) * First pass * Add more RFC references, some wordsmithing * Another few fixes * Switch to use "LDH Labels" * Propose concrete effective date * Clarification about root zone trailing dot * Replace "label" with "Domain Label" throughout (#1) Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> * Fix double negative * Fix redundant "if the" Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos <castillar@melete.org> * Wrap xn-- to prevent ligaturization * Update dates and version numbers Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC50 - Remove the requirements of 4.1.1 (#328) * SC50 - Remove the requirements of 4.1.1 (#323) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove 4.1.1; persist compromised keys in 6.1.1.3 Remove section 4.1.1 from the BRs Explicitly require persistent access to compromised keys * Rebase based on upstream/main * Move System requirement to 6.1.1.3 * Add 4.1.1 as blank * Remove capitalization from 6.1.1.3 where terms are not defined * Re-add 'No stipulation.' to 4.1.1 * Remove change to 6.1.1.3 Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update version and date table Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338) * Sunset SHA-1 for OCSP signing (#330) * Sunset SHA-1 OCSP signing * Clarify necessity of both items * Standardize date format, fix year in effective date table Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version, table, and date Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Bump actions/checkout from 2 to 3 (#342) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347) * Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements (#336) * Bump cairosvg from 1.0.20 to 2.5.1 Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1. - [Release notes](https://github.com/Kozea/CairoSVG/releases) - [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst) - [Commits](Kozea/CairoSVG@1.0.20...2.5.1) Signed-off-by: dependabot[bot] <support@github.com> * Bump kramdown from 2.3.0 to 2.3.1 Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/gettalong/kramdown/releases) - [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page) - [Commits](https://github.com/gettalong/kramdown/commits) Signed-off-by: dependabot[bot] <support@github.com> * Restructure parts of 5.4.x and 5.5.x * Use 'events' consistently in 5.4.1 * Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates. * Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs * Remove WIP title; * re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry. * Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2. Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2. * Update link formatting in 5.4.1 The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency. Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> * Update effective date and version number * Update ballot table in document * Fix date string Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Ballot SC54: Onion Cleanup (#369) * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * SC-54: Onion cleanup (#348) The voting on ballot SC54 has completed, and the ballot has passed. Voting Results Certificate Issuers votes total, with no abstentions: 18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa 0 No Votes 0 Abstentions Certificate Consumers 6 votes total, with no abstentions: 6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla 0 No votes 0 Abstentions Bylaw Requirements 1. Bylaw 2.3(f) requires: · A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose. This requirement was MET for Certificate Issuers and MET for Certificate Consumers. · At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted. This requirement was MET. 2. Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot. This requirement was MET. This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues. —— * Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains. * Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4. * Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6. * Addresses #240. Things are signed using private, not public keys. * Addresses #190, #191. According to #191 (comment), effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way. * This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce. We agreed with Corey and Wayne to propose the removal of the requirement for the CA to *confirm* entropy. * Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting). * remove double space * Remove EVG Appendix F, introduce Onion Domain Name term * A few more minor tweaks * Fix numbering * Update for easier read. * Revert "Update for easier read." This reverts commit 1bac785. Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> * Update version numbers and dates Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos Purvis <jopurvis@cisco.com> * Integrate SC-48 CN requirements Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023). * Update BR.md Address Comments: - #402 (comment) (added "CRL") - #414 (comment) (as suggested) * Align with BRs Inadvertent numbering change. * Update BR.md Add consideration for a phased reduction of short-lived subscriber certificate validity. (in response to #414 (comment)) * Update BR.md Cleaning-up proposal in advance of discussion. * Update EVG.md [clean-up diff, this file was not intentionally modified in the PR] * Update BR.md [clean-up] * Update BR.md [cleanup] * Update BR.md * Update BR.md * Update BR.md begin integrating SC-61 language. * integrate sc61 * Update BR.md continue tweaking to include sc61 * Update BR.md improve readability * Update BR.md * Update BR.md * Update BR.md * Update BR.md correct spelling error * Update BR.md * Update BR.md typo * Update BR.md * Update BR.md * Update BR.md * Improve specificity of CRL issuance frequency * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md Typo (thanks, Wendy!) * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update docs/BR.md Editorial Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md * Update BR.md * Update BR.md Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days." * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update docs/BR.md Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> * Update BR.md "twenty four" -> "twenty-four" * Update BR.md * Add provision to handle nonces per RFC8954 * Update BR.md Improve readability. * Update BR.md * Update BR.md * Update BR.md CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates. This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise). * Address comment from Rob * Clean up language * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Update BR.md * Address formatting nits * Address table formatting nits. * Remove redundant language re: nextUpdate * Clarify use of "unspecified" CRL Reason Code * Clarify IDP * (Further) Clarify IDP * Update BR.md Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly. * Update BR.md Nits. --------- Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BR.md --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Fall 2023 clean up (#460) * Issue#169 Issue #169 - updated 3.2.2.5.6 and 3.2.2.5.7 - added RFC 8738 in References * Issue #174 Issue #174 - Updated title in section 3.2.2.4.10 - Updated section 3.2.2.4.18 * Issue #337 Issue #337 - Updated title of the document to include TLS Server And also: - updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name * Issue #423 Issue #423 Updated section 1.6.3 - removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada - removing version of the NetSec and changing the link to redirect to the NetSec documents * Issue #430 Issue #430 Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse" * Issue #444 Issue #444 Added empty section 7.1.5 * Issue #450 Issue #450 Updated including link to the 6.2.7 section * Issue #453 Issue #453 Updated section as indicated * PR #415 PR #415 Updated title * Update BR.md Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order * Update BR.md Updated version and changelog * Issue #461 Issue #461 Used 2 option for the update * Update docs/BR.md Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Add line breaks in 7.1.2.11.2 According to #462 * Revert the change of the NSSR version Put back the version 1.7 in the NetSec * Update BR.md --------- Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> --------- Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update BRs with the new EVGs section numbers.md Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following: Section 3.2.2.4.7 EVG 11.14.3 to new 3.2.2.14.3 Section 7.1.2.7.5 EVG 9.2 to new 7.1.4.2 * Update EVG.md Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8 --------- Co-authored-by: Martijn Katerbarg <martijn.katerbarg@sectigo.com> Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com> * Update EVG.md * Update BR.md Update of the TLS BRs with updated pointers to the new EVG sections * Update EVG.md Changed version and date of the EVGs and added the correspondent ballot number --------- Co-authored-by: Martijn Katerbarg <martijn.katerbarg@sectigo.com> Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com> Co-authored-by: Ryan Sleevi <rsleevi@chromium.org> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com> Co-authored-by: Jos <castillar@melete.org> Co-authored-by: Jos Purvis <jopurvis@cisco.com> Co-authored-by: Ryan Sleevi <sleevi@google.com> Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com> Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com> Co-authored-by: Wayne Thayer <wthayer@gmail.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Clint Wilson <clintw@apple.com> Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com> Co-authored-by: Aaron Gable <aaron@aarongable.com>
This pull request is a follow-up to #402, which inadvertently made edits to the in-progress "profiles" branch.
Due to conflicts, #402 was closed. Since closing #402, a separate branch (i.e., "make-ocsp-optional") has been created dedicated to this specific proposal. Comments made on #402 will be transposed here.
Background, motivation, and additional information is available here.
This "Pull Request" is intended to be used to foster discussion within the community in advance of requesting endorsors and beginning the balloting process.