Let's Encrypt endorses this. On Thu, Mar 31, 2016 at 6:06 PM, Peter Bowen <[email protected]> wrote: > Here is a revised draft. It removes the wildcard changes and fixes a few > small typos. Any more changes or does anyone want to endorse? > > > >> On Mar 30, 2016, at 9:17 PM, Peter Bowen <[email protected]> wrote: >> >> Here is a redlined version in MS Word format.<CA-Browser Forum BR >> 1.3.3-corrections.doc> >> >>> On Mar 30, 2016, at 11:54 AM, Rick Andrews <[email protected]> >>> wrote: >>> >>> Peter, you've done a lot of work here, and I don't want to appear >>> ungrateful, but it's difficult to follow some of these changes. In the >>> past, others have submitted ballots with redlined Word or pdf docs to make >>> it easier to see exactly what is changing. Would it be possible to do that >>> for this ballot? >>> >>> -Rick >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of Peter Bowen >>> Sent: Monday, March 28, 2016 5:27 PM >>> To: CABFPub <[email protected]> >>> Subject: [cabfpub] Draft Ballot - Baseline Requirements Corrections >>> >>> All, >>> >>> Here is the combined set of changes from the corrections thread. It does >>> not include allowing underscore in FQDNs nor does it allow U-labels in >>> commonName attributes, as these did not appear to have consensus. It does >>> include a basic proposed change to the allowable content of the >>> organizationName field of CA certificates, to match what is allowed in >>> non-CA certificates, as an attempt to incorporate feedback from discussion >>> on that topic. >>> >>> I’ve proposed making these immediately effective, as I did not hear people >>> calling out a need for time to implement. >>> >>> Thanks, >>> Peter >>> >>> ============= >>> >>> Ballot 1XX: Baseline Requirements Corrections >>> >>> The following motion has been proposed by Peter Bowen of Amazon and >>> endorsed by _____________ of _____________ and __________ of ____________: >>> >>> Background: >>> >>> A number of small corrections and clarifications to the Baseline >>> Requirements have been identified. These are, in general, changes that >>> reflect the existing understanding of the Baseline Requirements by the >>> Forum. Due to the understanding that these primarily represent existing >>> practice, they are combined for efficiency. >>> >>> -- MOTION BEGINS -- >>> >>> Effective the date of passage, the following modifications to the Baseline >>> Requirements are adopted: >>> >>> In Section 1.6.1: >>> - In the definition of "Applicant Representative", replace "and agrees to >>> the Certificate Terms of Use" with "the Terms of Use" and append "or is the >>> CA" at the end of the definition; >>> - In the definition of "Terms of Use", append "or is the CA" at the end of >>> the definition; >>> - In the definition of "Wildcard Certificate", replace "an asterisk (*) in >>> the left‐most position of any of the Subject Fully‐Qualified Domain Names" >>> with "a Wildcard DN in any of the Subject Alternative Name dNSNames"; >>> - Insert a new definition: "Wildcard Domain Name (Wildcard DN): A Domain >>> Name formed by prepending '*.' to a FQDN" >>> >>> In section 3.2.2.6: >>> - Replace "wildcard character (*)" with "Wildcard DN"; >>> - Replace "wildcard character occurs in the first label position to the >>> left of" with "FQDN portion of the Wildcard DN is"; >>> - Replace " a wildcard would fall within the label immediately to the left >>> of a registry‐controlled† or public suffix," with "so,"; >>> - Replace "“*.example.com” to Example Co." with "“*.example” if the >>> .example gTLD includes Specification 13 in its registry agreement". >>> >>> Move the content in section 3.3.1 to section 4.2.1 to become the third >>> paragraph in 4.2.1 and leave section 3.3.1 blank. >>> >>> In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960". >>> >>> In section 5.2.2, insert "CA" immediately before "Private Key". >>> >>> In section 6.1.2, append "without authorization by the Subscriber" to the >>> end of the first sentence. >>> >>> In section 6.1.6, update the last citation to read: "[Source: Sections >>> 5.6.2.3.2 and 5.6.2.3.3, respectively, of NIST SP 56A: Revision 2]" >>> >>> In section 6.2, in the second sentence, insert "CA" immediately before both >>> instances of "Private Key". >>> >>> In section 6.2.5, append "without authorization by the Subordinate CA" to >>> the end of the sentence. >>> >>> In section 7, insert the following introduction paragraph: >>> "All Certificates and Certificate Revocation Lists SHALL comply with RFC >>> 5280 and RFC 6818. They SHALL additionally comply with RFC3279, RFC4055, >>> RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key >>> Info and the Signature Algorithm present in the certificate." >>> >>> In sections 7.1.2.1(e) and 7.1.2.2(h) change the organizationName line to >>> read: >>> "- organizationName (OID 2.5.4.10): This field MUST be present and the >>> contents MUST contain either the Subject CA’s name or DBA as verified under >>> Section 3.2.2.2. The CA may include information in this field that differs >>> slightly from the verified name, such as common variations or >>> abbreviations, provided that the CA documents the difference and any >>> abbreviations used are locally accepted abbreviations; e.g., if the >>> official record shows “Company Name Incorporated”, the CA MAY use “Company >>> Name Inc.” or “Company Name”." >>> >>> Change the title of section 7.1.4.2 to "Subject Information - Subscriber >>> Certificates". >>> >>> In section 7.1.4.2.1, replace "Wildcard FQDNs are permitted." with >>> "Wildcard DNs are permitted as an exception to RFC5280 and X.509". >>> >>> In section 9.6.1 item 6: >>> - Insert "are the same entity or" immediately prior to "are Affiliated"; >>> - Remove "and accepted". >>> >>> In section 9.6.3, replace "agreement to the Terms of Use agreement." with >>> "acknowledgement of the Terms of Use." >>> >>> In section 9.6.3 item 2, replace "maintain sole control" with "assure >>> control". >>> >>> In the following sections, replace all occurrences of "Subscriber or Terms >>> of Use Agreement" with "Subscriber Agreement or Terms of Use". >>> - Section 1.6.1, in the definition of "Subscriber" >>> - Section 4.1.2 >>> - Section 4.9.1.1 >>> - Section 4.9.11 >>> - Section 9.6.1 >>> - Section 9.6.3 >>> >>> -- MOTION ENDS -- >>> >>> _______________________________________________ >>> Public mailing list >>> [email protected] >>> https://cabforum.org/mailman/listinfo/public >> >> _______________________________________________ >> Public mailing list >> [email protected] >> https://cabforum.org/mailman/listinfo/public > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public
-- Josh Aas Executive Director Internet Security Research Group Let's Encrypt: A Free, Automated, and Open CA _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
