[Servercert-wg] Voting Period Begins - Ballot SC-073: Compromised and Weak Keys

Purpose of Ballot SC-073 This ballot proposes updates to the Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates related to weak and compromised private keys. These changes lie primarily in Section 6.1.1.3 : - 6.1.1.3(4) clarifies that, for

[Servercert-wg] Ballot SC-XX: Modify section 3.2.2.4.7 to clarify CA Assisted DNS Validation [DRAFT]

Hello all, Here is a draft ballot that proposes changes to section 3.2.2.4.7 of the TLS Server Certificate BRs that make it clear that CAs are authorized to operate domains for the purpose of assisting Applicants with performing DNS validation. I am seeking two endorsers. Note: Redline link

[Servercert-wg] CRL reason codes and CRL requirements

We were looking at some of the details in Ballot SC-063 V4: Make OCSP Optional, Require CRLs, and Incentivize Automation https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc 4e6f133c/docs/BR.md#721-version-numbers We have 2 comments in the area of CRLs and Reason

[Servercert-wg] Ballot SC-74 - Clarify CP/CPS structure according to RFC 3647

SC-74 - Clarify CP/CPS structure according to RFC 3647 Summary The TLS Baseline Requirements require in section 2.2 that: /"The Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647 and MUST include all material required by RFC

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

Hi Ryan, The question is not between HTTP vs FTP vs LDAP but specifically for "HTTP URL" that could have two schemes "http" and "https". RFC 2616 (June 1999) included only "http" and was updated in May 2000 by RFC 2817 to include TLS Within

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

[like] Sven Rajala reacted to your message: From: Servercert-wg on behalf of Ryan Dickson via Servercert-wg Sent: Thursday, April 25, 2024 12:29:21 PM To: Adriano Santoni ; CA/B Forum Server Certificate WG Public Discussion List Subject: Re: [Servercert-wg]

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

It's my understanding that the intent of the updates made in SC-62 were to prohibit any non-HTTP URI. This was discussed in: 1) at least one historical GitHub discussion (referenced in ballot preamble

Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

Hi, IMO, including an HTTPS URI in the *id-ad-caIssuers* accessMethod is at least a bad practice and very unwise (if done on purpose), as it may give rise to unbounded loops, as it is clearly explained in RFC5280: CAs SHOULD NOT include URIs that specify https, ldaps, or similar schemes in

[Servercert-wg] Question regarding the id-ad-caIssuers accessMethod URI

Dear Members, I have a quick question regarding the |id-ad-caIssuers|accessMethod URI. Section 4.2.2.1 of RFC 5280 states that: When the|id-ad-caIssuers|accessMethod is used, at least one instance SHOULD specify an