I actually agree with Inigo here, I think “help” is a vague concept that is
inappropriate for a technical requirement, even at the SHOULD level. It’s a
nice sentiment, not a requirement.
-Tim
From: Servercert-wg On Behalf Of Dimitris
Zacharopoulos via Servercert-wg
Sent: Tuesday, May
structure according
to RFC 3647
Hi Tim,
On May 10, 2024, at 8:52 AM, Tim Hollebeek via Servercert-wg
mailto:servercert-wg@cabforum.org> > wrote:
Whether the comparison should be case sensitive or not is not a question of how
“strict” the linter should be, but what the requir
Whether the comparison should be case sensitive or not is not a question of how
“strict” the linter should be, but what the requirements are. Linters MUST NOT
make their own determinations as to what the requirements are, and SHOULD
highlight cases like this where ambiguity may be present.
DigiCert votes NO on Ballot SC-74.
The ballot is insufficiently clear about whether punctuation, capitalization,
etc have to match exactly, and RFC 3647, which is Informative and was never
intended to be used this way, is inconsistent itself in its use of
capitalization and punctuation.
DigiCert votes YES on SC-72.
-Tim
From: Servercert-wg On Behalf Of Paul van
Brouwershaven via Servercert-wg
Sent: Monday, March 25, 2024 8:01 AM
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: [Servercert-wg] [Voting Period Begins]: SC-72 - Delete except to
DigiCert votes YES on SC-070.
-Tim
From: Servercert-wg On Behalf Of Aaron
Gable via Servercert-wg
Sent: Tuesday, February 13, 2024 11:57 AM
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: [Servercert-wg] [Voting Period Begins] SC-070: Clarify the use of
DTPs for
Im probably not going to be on the call, and Id also like to point out
that as far as Im aware, I never volunteered for the minutes list (because
I cant always be on the calls anymore
), so perhaps the inclusion process
needs some examination.
-Tim
From: Servercert-wg On Behalf Of
There are a number of attack scenarios that cause network devices to
crash/restart either as part of the attack, or as a consequence of the fallout
from an attack. So paying attention to if some of your network hardware and
software crashes unexpectedly and/or becomes significantly less stable
Yeah, this is where the GlobalSign ballot is actually an excellent start. I
enjoyed Eva's overview on a recent validation SC call. I need to dig deeper
into it and do more analysis of the proposals and what I think of them.
It's an ongoing conversation internally and I hope to have some
DigiCert votes YES on SC-68.
-Tim
From: Servercert-wg On Behalf Of Dimitris
Zacharopoulos (HARICA) via Servercert-wg
Sent: Tuesday, January 23, 2024 4:00 AM
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: [Servercert-wg] Voting Begins for Ballot SC-68: Allow VATEL
Feel free to bring it up, but I still oppose it for all the reasons we
discussed when we had this discussion the last time. Adding more mandatory
details to the ballot process is not progress. We need to get back to
improving the requirements, and not spending so much time on bylaws and
Right. We do not want to allow blanket or undisclosed exceptions to the
CA/Browser Forum rules, so a generic carve out would do more harm than good.
If anyone is aware of local laws that are a challenge for BR compliance, they
SHOULD, and in some cases, MUST, bring them to the attention of
Significantly better, thank you.
-Tim
From: Aaron Gable
Sent: Monday, January 8, 2024 1:42 PM
To: Tim Hollebeek
Cc: CA/B Forum Server Certificate WG Public Discussion List
Subject: Re: [Servercert-wg] Seeking endorsers: Ballot SC-XX: Measure all hours
and days to the second
I've
You don’t want to call out “reasonableness” unless you’re actually going to let
people use their discretion.
The first new sentence, as I read it, could be rewritten as: “All statements of
time periods SHALL be taken to mean exactly that time period, and not one
microsecond more.”
That
Yeah, I think more modular and cleaner requirements is where we should focus
our efforts, not increasingly fine-grained enforcement of RFC 3647.
-Tim
From: Bruce Morton
Sent: Monday, December 4, 2023 2:22 PM
To: Inigo Barreira ; CA/B Forum Server Certificate
WG Public Discussion List ;
Yes. Whether that’s the RIGHT proposal is debatable, but I think it’s a VALID
proposal that should not be rejected as “non-compliant”.
If people think compliance requirements are important here, a good path would
be an update to RFC 3647 that turns it into a normative document with
Yeah, the fact that the section 6 outline goes deeper than the actual described
format in section 4 is annoying, and you’re right, it’s probably the source of
these disagreements. I always look at section 4, because it has the actual
guidance about what sort of information should be considered
No.
IETF has both Normative and Informative RFCs. While it is true that compliance
with a Normative RFC is voluntary, if you do choose to comply, the RFC has
requirements stated in RFC 2119 standards language that make it clear what the
compliance rules are. Informative RFCs like 3647 do
is unhelpful, imo.
For whatever it's worth, I think that Section 11 of the current EVGs could be
renumbered wholesale to become Section 3.2, retaining its subsections as-is,
with few or no issues.
Aaron
On Fri, Dec 1, 2023 at 8:51 AM Tim Hollebeek via Servercert-wg
mailto:servercert-wg
This is unfortunately wrong. There are lots of misconceptions about RFC 3647
“compliance”.
The first point is that RFC 3647 is an INFORMATIONAL RFC. You can see this
right at the top, where it says “Category: Informational”. This means that it
contains no requirements and it’s impossible
DigiCert votes YES on ballot SC-066.
-Tim
From: Servercert-wg On Behalf Of Inigo
Barreira via Servercert-wg
Sent: Thursday, November 16, 2023 1:50 PM
To: CA/B Forum Server Certificate WG Public Discussion List
Subject: [Servercert-wg] VOTE FOR APPROVAL Ballot SC-066: Fall 2023 Clean-up
This is perfect, thank you. I’ll run it through our internal ballot review
process and get you feedback from our compliance team.
-Tim
From: Inigo Barreira
Sent: Friday, September 8, 2023 12:54 PM
To: Tim Hollebeek ; Dimitris Zacharopoulos
(HARICA) ; CA/B Forum Server Certificate WG Public
Yes, exactly. I would like to see a list that shows that EVG-classic section
1.4 is now in EVG-3647 section 4.1. Then I can look at where the new text
landed, see how the conversion was handled, we can all verify that nothing was
lost or left out, etc.
Without that, anyone attempting to
Thanks for doing this Inigo ... I know re-organizations like this are a lot of
work and fall very much in the category of "important but not fun". So thanks
for taking an initial stab at this.
Is there a mapping that shows where all the original text ended up? I think
that's going to be
I agree with Bruce, and I think we might also want to synchronize the effective
dates. Many customers have a variety of kinds of certificates included in the
same contract, and having two different sets of terminology for the same legal
document involved in the same contract would be really
Do these automatically issued certificates have the serverAuth EKU, and is it
necessary for them to chain to a publicly-trusted root? If not, they’re out of
scope for the server certificate baseline requirements. If so, why can they
not be in full compliance with the standard TLS profiles?
Just a helpful reminder to everyone trying to comply with this ballot to also
check the Microsoft Root Program and its requirements around OCSP, which
haven't changed.
I don't want anyone accidentally running afoul of those program requirements
because they read the BRs in isolation.
-Tim
Hello Q,
My opinion is that this would be a great discussion to have at an upcoming
meeting of the Validation Subcommittee.
-Tim
From: Servercert-wg On Behalf Of Dean
Coclin via Servercert-wg
Sent: Wednesday, July 26, 2023 7:22 PM
To: servercert-wg@cabforum.org
Subject: [Servercert-wg]
bution by region and come up with a
reasonable threshold? Can we rely on StatCounter, or should we look elsewhere?
Thanks,
Ben
On Wed, Jul 12, 2023 at 9:30 AM Tim Hollebeek via Servercert-wg
mailto:servercert-wg@cabforum.org>> wrote:
I have a meaningful comment.
I don’t want to ever hav
It is not entirely clear that a CA can use its CPS to enforce new requirements
on third parties that are reporting key compromises in BR-compliant ways. I
get why it might be attractive to do so, but people should focus their efforts
on fixing the BR language instead of just unilaterally
ayne
On Wed, Jul 5, 2023 at 11:43 AM Tim Hollebeek via Servercert-wg
mailto:servercert-wg@cabforum.org> > wrote:
Just wanted to make sure CAs are aware of the Gutmann testkeys draft, which
will be an RFC soon. CAs should add these keys to the list of keys they refuse
to issue certifica
I have a meaningful comment.
I don’t want to ever have to discuss or judge whether someone’s comment is
“meaningful” or not, and I don’t think incentivizing people to post more
comments than they otherwise would is helpful.
I also think getting the chairs involved in any way in discussing
32 matches
Mail list logo