Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SC48 - Domain Name and IP Address Encoding #285

Merged
merged 10 commits into from Aug 24, 2021

Conversation

CBonnell
Copy link
Member

This ballot clarifies several points that were left unanswered in the wake of the ballot 202 failure. The following items are proposed with an immediate effective date (but of course can be discussed):

  • Prohibition on U-labels in the CN
  • More clarity surrounding Reserved IP Addresses

For a future effective date (TBD):

  • Prohibition on Reserved LDH domain labels that are not XN-labels
  • Requirement that all XN-labels must be validated as containing valid Punycode

Copy link
Contributor

@sleevi sleevi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, I think you've hit all the right notes, and we'd be supportive of this.

I think one question I have is: should we fold this into the profiles work? I think that should be ready to go shortly (outstanding items are SRVName constraints, fixing up the backdating, and any discussion on validity periods that may get proposed)

I realize that makes it a smaller part of a much larger change, but also hopefully fits with what you're trying to do here: clarify the expectations and also introduce future requirements.

So far, the profile work hasn't overlapped with any of our other ballots, so it hasn't come up yet.

docs/BR.md Outdated Show resolved Hide resolved
@CBonnell
Copy link
Member Author

So, I think you've hit all the right notes, and we'd be supportive of this.

Thanks for the review and feedback!

I think one question I have is: should we fold this into the profiles work? I think that should be ready to go shortly (outstanding items are SRVName constraints, fixing up the backdating, and any discussion on validity periods that may get proposed)

I think we're looking to push this separately from the profiles ballot, for two reasons:

  1. The concepts introduced here all should be familiar to the Forum since they were included in Ballot 202. It's essentially a "self-contained" ballot that CAs can assess independently from the larger profiles work.
  2. Proposing small improvements such as this independently from the profiles work will make evaluation of the profiles less burdensome when it is ready for wider discussion/review, as there will be less normative changes introduced.

@sleevi
Copy link
Contributor

sleevi commented Jun 10, 2021

  1. The concepts introduced here all should be familiar to the Forum since they were included in Ballot 202. It's essentially a "self-contained" ballot that CAs can assess independently from the larger profiles work.
  2. Proposing small improvements such as this independently from the profiles work will make evaluation of the profiles less burdensome when it is ready for wider discussion/review, as there will be less normative changes introduced.

But I think both these points are true for most of the profiles work, right?

Re: 2, maybe I'm miscalibrated - I've been trying to circulate the profiles work for feedback for a while for that wider discussion/review. Because of that, I was thinking the review period would only be a week - but it sounds like you're thinking the review period may be longer (i.e. that CAs have not yet started reviewing that work), and that's why this would benefit clearing sooner / being separable?

I'm not wanting to insist this be part of profiles, but mostly trying to think through the sequencing of how multiple ballots in flight will be managed, given the overlap here in terms of sections touched. It makes it possible that I'll get it wrong (particularly, the handling of the "if this ballot succeeds" / "if this ballot fails" variants), so, selfishly, it's a little easier if integrated. It's the same reason I haven't (yet) pushed a spring (haha, summer) cleanup ballot yet - same risk.

What's your thought on the timing of this ballot? That is, I realize there's an open question for what the effective date should be for the new changes, and I wasn't sure when you see that effective date being resolved (because it means that time, +6 weeks, will have to deal with the conflict in the profiles work)

@dzacharo
Copy link
Contributor

@CBonnell, I reviewed the ballot last week and we'd be happy to endorse.

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
@CBonnell CBonnell changed the title Ballot 202, redux SC48 - Domain Name and IP Address Encoding Jul 1, 2021
Comment on lines +956 to +958
Wildcard Domain Name in the Certificate is “registry-controlled” or is a “public suffix” (e.g. “\*.com”, “\*.co.uk”, see RFC 6454 Section 8.2 for further explanation).

If a wildcard would fall within the label immediately to the left of a registry-controlled or public suffix, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue "\*.co.uk" or "\*.local", but MAY issue "\*.example.com" to Example Co.).
If the FQDN portion of any Wildcard Domain Name is "registry-controlled" or is a "public suffix", CAs MUST refuse issuance unless the Applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue "\*.co.uk" or "\*.local", but MAY issue "\*.example.com" to Example Co.).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nit: there is an inconsistency here between smart quotes (line 956: “registry-controlled”) and straight quotes (line 958: "registry-controlled").

Copy link
Member Author

@CBonnell CBonnell Jul 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless others disagree, it appears that the BRs use both types of quoting (straight vs. smart) so I think we should decide on which type of quotes we want in the documents and then fix all occurrences at once. Given that the documents are already inconsistent and mixed usage doesn't impair readability, I don't think we should delay the ballot further to address this instance of mixed use.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we can leave these as-is for this ballot. Pandoc will automatically convert these to ligatures for the PDF rendering, so it makes no difference.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, no need to delay this ballot to fix it. I only brought it up because both of these (mismatched) quotes were introduced in this ballot, not just a simple matter of this ballot using one style adjacent to where the other style already existed.

@castillar castillar changed the base branch from main to SC48 July 22, 2021 17:53

* If the value is an IPv4 address, then the value MUST be encoded as an IPv4Address as specified in RFC 3986, Section 3.2.2.
* If the value is an IPv6 address, then the value MUST be encoded in the text representation specified in RFC 5952, Section 4.
* If the value is a Fully-Qualified Domain Name or Wildcard Domain Name, then the value MUST be encoded as a character-for-character copy of the `dNSName` entry value from the `subjectAltName` extension. Specifically, all Domain Labels of the Fully-Qualified Domain Name or FQDN portion of the Wildcard Domain Name must be encoded as LDH Labels, and P-Labels MUST NOT be converted to their Unicode representation.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi all, can I just ask for a clarification on this line. Does this mean that the commonName field must be exactly found in a SAN dNSName entry or would it be reasonable for the common name to be EXAMPLE.COM and the SAN dNSName to be example.com? DNS names are not case-sensitive so it shouldn't matter but I just want to clarify what precisely is meant by a character-for-character copy?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for raising this. I agree this isn't clear and I should have worded this better.
As you mentioned, DNS is case-insensitive so differences in casing aren't material. Given this, I think it's reasonable to interpret this as a "case-insensitive character-for-character copy". Nonetheless, we should make this explicit in the next "Spring cleanup" ballot.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I agree, we should interpret as @CBonnell recommends and fix in a clean up ballot.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I agree with Corey here with how we should interpret it. A character in an IA5String is an unambiguous value from the ASCII/IA5 character table, and an 'a' character is not equivalent to an 'A' character.

I don't believe our current language permits this case differential. I understand Corey reasonably suggesting we can consider changing that, but I don't believe that's currently what the text reads.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intent of my writing "character-for-character copy" was to prohibit transformation of P-labels in a SAN dNSName to U-labels in the CN. The next sentence, "Specifically, " clarifies that is the intent. Even if we did mandate a case-sensitive match, I'm not sure what goal that would accomplish from a practical standpoint.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ryan, I assume you would potentially be looking at certs issued after the ballot passes IPR review as mis-issued? Or would consider all certificates mis-issued regardless of issue date?

Copy link
Contributor

@sleevi sleevi Aug 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mike-reilly Effective date (i.e ~3 weeks from now)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understand. Certs would be considered mis-issued by Google Chrome after effective date (about 3 weeks from now). Thanks, Mike

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify......only certs issued AFTER the IPR review ends would be potentially be considered mis-issued by Google Chrome correct?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. Certificates issued after the effective date are misissued if they are not exact character by character copies (that is, preserving case)

@castillar castillar merged commit 594b6f3 into cabforum:SC48 Aug 24, 2021
castillar added a commit that referenced this pull request Aug 25, 2021
* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>
castillar added a commit that referenced this pull request Aug 27, 2021
* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
@CBonnell CBonnell deleted the ballot/202_redux branch October 5, 2021 21:30
CBonnell added a commit to CBonnell/servercert that referenced this pull request Aug 3, 2022
* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
CBonnell added a commit that referenced this pull request Dec 1, 2022
* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
CBonnell added a commit that referenced this pull request Jan 12, 2023
* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC-56: 2022 Cleanup (#401)

* SC-56: 2022 Cleanup (#385)

Ballot has passed; moving to SC56 branch for IPR

* #340

* #339

* #333

* #318

* #315

* #312

* #309

* #275

* #344

* #345

* #378

* #380

* #287

* #300

* #259

* #284

* #277

* #311

* #310

* Remove historical effective dates

* #196

* #251

* #212

* #386

* Grammatical improvement suggested by Wendy Brown

* Remove text for retired methods

* Switch to new tables tooling

* Fix broken section references

* Bump upload-artifact version

* Linkify US denied persons/entities list URLs

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update effective dates and tables

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-58: Require distributionPoint in sharded CRLs (#396) (#403)

* SC-58: Require distributionPoint in sharded CRLs (#396)

* SC-XX: Require distributionPoint in sharded CRLs

The language in RFC 5280 regarding the interaction between the
distributionPoint field of the Issuing Distribution Point CRL extension
and the existence of sharded CRLs has led to significant debate on
interpretation, and appears to contradict X.509.

To protect against replacement attacks, make it explicitly clear that
the Issuing Distribution Point extension and distributionPoint field are
required for sharded or partitioned CRLs.

* Remind readers that the IDP must be critical

* Change effective date to Jan 15

* Change effective date in Section 1.2 table, too

* Update BR.md

Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
barrini added a commit that referenced this pull request Apr 24, 2023
* Profiles WIP

* Clarify AIA based on 2021-06-12 call

AIA allows multiple methods, and multiple instances of each method.
However, client implementations use the ordering to indicate priority,
as per RFC 5280, so clarify the requirements for multiple
AccessDescriptions with the same accessMethod.

* Address basicConstraints for OCSP Responder feedback

Rather than make basicConstraints MUST, make it a MAY, to allow
omission (plus v3) or presence (but empty) to indicate that it is not
a CA certificate.

* Address cRLDistributionPoints

As captured on
https://archive.cabforum.org/pipermail/validation/2021-July/001675.html
provide better guidance for the encoding of cRLDistributionPoints and
the permitted protocols.

* Fix broken link and better clarify WIP sections

* Clarify OCSP and other EKUs

Non-TLS CAs MUST NOT include id-kp-OCSPSigning, since this would
potentially make them OCSP signers for the issuing CA. Similarly,
with respect to non-TLS CAs, it's fine (and useful!) to use other
EKUs, so this is a MAY (or possibly SHOULD), not a SHOULD NOT.

* Remove stale FIXME regarding serial numbers

* Introduce Precertificate Signing CA Profile

A Precertificate Signing CA, ontologically, a type of Technically
Constrained Non-TLS Sub-CA, by virtue of the Extended Key Usage. To
avoid ambiguity, this introduces a profile specific for Precert Signing
CAs that make it clear that the Precert Signing EKU MUST be the only EKU
present, to avoid a situation similar to that seen with OCSP responders.

RFC 6962 is somewhat fast and loose with respect to whether or not
"CA:true" is required in the profile for these, but in practice,
implementations of logs, and existing CAs, do expect CA:true.

Although not meant to be a normative change from the existing practices
and consequences of existing requirements, it does make explicit that
such CAs MUST only sign Precertificates; although this is less critical
given the EKU constraint (to being a singular EKU), it represents a
defense in depth approach consistent with existing practice.

* Align postalCode/streetAddress hierarchy

As pointed out by DigiCert, postal code represents a greater enclosing
area than the street address, and thus hierarchically should appear
first.

* Fix nameConstraints for TLS subCAs

They were accidentally a MUST, when they should have been a MAY. Bad
copy/paste.

* Bump OCSP placeholder dates for cert policies

Move the effective date to 6 months from now; will likely continue to
move as we finalize things, but offers a placeholder to handling
effective dates.

* Make cRLDP MUST NOT for OCSP Responders

As pointed out by Corey, an id-pkix-ocsp-nocheck should be expected to
disable all revocation checking (not just recursive OCSP revocation
checking), so it makes sense to MUST NOT the cRLDP for the OCSP
Responder, since we MUST nocheck.

* Fix typo -> MMAY to MAY

* Precertificates and Precertificate Signing CAs

This introduces the notion of Precertificates and Precertificate
Signing CAs as part of the Profiles, and captures the existing
requirements from RFC 6962. It defines a Precertificate as based
on a transformation of an existing Certificate conforming to one
of the profiles, as opposed to attempting to define variants for
every version or how to construct a Precertificate for a given
profile.

This attempts to similarly capture that, for purposes of compliance,
a Precertificate is treated as if there is an equivalent Certificate,
by reflecting that Precertificates need to match a Certificate based
on the transformations defined, and that the Certificates need to
match the profiles defined.

* Address validity periods

This attempts to clarify when/how backdating is allowed, particularly
since it may affect path building. It gives a generous period for CA
backdating when the distinguishedName remains the same, but may be
imperfect if the keys are changing.

* Address the "any other value" situations with 7.1.2.4 language

This adopts the language from 7.1.2.4 to the various extensibility
points, by trying to explicitly clarify as appropriate as to what is
permitted.

* Fix the certificatePolicies mismatched highlighted by Corey

* Formatting and plurality fixup

* Change SHOULD NOT to NOT RECOMMENDED

While RFC 2119 establishes that these two phrases are semantically
equivalent, it's been suggested that this may resolve some anxiety
around misinterpretations of SHOULD NOT as SHALL NOT, particularly
by auditors.

By changing this to NOT RECOMMENDED, the same guidance is preserved,
but it hopefully makes it more palatable to CAs.

See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830
for related discussion.

* Clarify subject name rules & add effective date

This restructures the naming rules to try to clarify:
- That technically constrained non-TLS sub-CAs are in-scope, but the
  certificates they issue are not
- That the rules about byte-for-byte apply for all certificates in
  scope
- That the requirements for the ordering and sequencing of names is
  a forward-dated requirement. Although it can be argued that some
  of these are existing requirements, avoid any messiness by
  structuring it holistically.
- Adds a note to 7.1.4 to call out that 7.1.2.2.1 provides an
  exception
- State the exception in 7.1.2.2.1 both normatively and informatively,
  to try and avoid misinterpretation.

This was based on Corey's feedback in
https://github.com/sleevi/cabforum-docs/pull/36/files#r689880007

* Remove dnsSRV and cleanup otherName handling

This removes the (buggy) description of DNS SRV and leaves it overall
as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements.
It also fixes up a typo (extension OID -> type-id)

* Formatting fix

* Move the Non-TLS EKU requirement into the Non-TLS profile

Originally it was part of the common fields, when there were multiple
variations of non-TLS CAs. However, as there is only a single
reference to this section, fold it in to the non-TLS profile.

This hopefully makes it clearer about the EKU requirements for
non-TLS CAs (being what defines something as non-TLS), and reduces
some confusion around non-TLS and TLS common sections.

* Redo Certificate Policies for Non-TLS CAs

The existing language was buggy, in that a link target was updated, but
not the section heading. However, it was further buggy due to the
interactions between Affiliated and Non-Affiliated CAs.

This overhauls it in line with the November and F2F discussions; unlike
many of the other extensions in this section (which are dictated by RFC
5280 as being mandatory for certain situations), certificatePolicies is
not, so this is demoted to a MAY.

However, the language from RFC 5280 does set out some guidance - such
as not recommending that a policyQualifier be present - and so that
requirement is preserved, under the argument that a non-TLS CA should
still align with RFC 5280 if issued under a BR CA.

This does *remove* an existing BR requirement, namely those inherited
from Section 7.1.6.3, but since that seemed to align with the intent
of the SCWG, this should be a positive change.

* Make PolicyIdentifier ordering optional

This makes the requirement for the Reserved Policy Identifier
to be the first policyIdentifier optional, while explaining with
a note the basis for that logic. To avoid confusion, it makes it
clear that only one instance of a Reserved Policy Identifier may
be present (e.g. can't be simultaneously OV and EV)

* Indicate a max for serial numbers

This incorporates Corey's
https://github.com/sleevi/cabforum-docs/pull/39/commits/04c55a4cdf2f6ea068bd1f743a83b60def34dcae

* Try to address the SKI uniqueness

The approach to SKI uniqueness was flagged as ambigous, and two options
were presented:
  - Option 1, mandate the SKI generation algorithm
  - Option 2, clarify that it's only unique "for the CA"

Option 2 still has security risks with respect to denial of service,
but CAs were unsure about when Option 1 would b eimplementable (e.g.
if mandating SHA-2, CA software that uses SHA-1 would need to be
updated).

For now, this goes with Option 2, although a mandatory algorithm would
resolve the issues wholesale.

This is adapted from Corey Bonnell's
https://github.com/sleevi/cabforum-docs/pull/39/commits/41cb3063b41af69615bba5410279396994d2ebc0

* Allow backdating up to 48 hours

This adopts a 48 hour window, as proposed in
https://github.com/sleevi/cabforum-docs/pull/39/commits/816ad7aa79cbfc1315561590d89ed7a9fd076b97

* Naming Cleanup

This moves the metadata prohibition and domain name prohibition from
applying to all certificates to only applying to Subscriber certificates
(and in particular, to IV/OV/EV).

This also corrects the organizationalUnit name to reflect SC47v2.

* Harmonize effective dates to 2022-11-01

This only affects the certificatePolicies for OCSP Responders and
the naming rules (for all certificates), but shifts to a harmonized
date.

* Formatting & Section Heading fixes

This fixes a few unnumbered sections (around validity periods)
and adjusts the formatting for several tables to better accomodate
the text.

* OrganizationalUnitName fixups

Fixup the OU field

* Remove stale TODO/TBDs

* Fix a bug in non-TLS technically constrained CAs

For non-TLS CAs, don't allow them to assert the BR's CP OIDs,
as the certificates will not be BR compliant.

* CT Cleanups

In order for the precertificate signing CA to be considered
technically constrained, restrict its EKU to only permitting it
to issue precertificates.

Additionally, add a cross-reference and tweak a MAY to a may, as the
paragraph that follows the MAY contains the actual normative
requirement, and this is just an informative explainer.

* Remove rfc822Name from TLS technically constrained CAs

rfc822Name is allowed, and described, in 7.1.2.10.9, as its a
translation of the requirements of 3.2.2.4/3.2.2.5/7.1.2.4 of the
existing BRs, and there are some CA profiles that allow non-TLS
EKUs to be present (for ex, cross-certification).

For technically constrained TLS sub-CAs, it was originally present
because of Mozilla Root Store Policy, Section 1.1, which requires
out-of-scope CAs to constrain on that name type. However, since
a TCSC TLS CA MUST NOT include EKUs other than serverAuth &
clientAuth, it was seen as unnecessary to even allow rfc822Name.

* Clarify Precert language

This clarifies the language around precerts by:

* harmonizing on 'corresponding Certificate' instead of 'equivalent
  Certificate'
* changing 'byte-for-byte equivalent' to 'byte-for-byte identical'
  to avoid any ambiguity
* Rewording the AKI section when using a Precert Signing CA, to avoid
  stating the same requirement several ways that might be read as
  giving conflicting or different guidance, and RECOMMENDING/SHOULD
  harmonizing on the AKI containing the Precert Signing CA's SKI,
  as the Log is expected to transform and substitute (and all
  observed logs appear to do so).

* Redo Certificate Policies

This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:

Relaxations:

- Reserved Policy OID is * no longer* required to be first, but is
  RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
  policies is removed. This was introduced for Cross-Certified
  Sub-CAs, but resulted in some ambiguity about what happens when a
  Technically Constrained (non-TLS or nameConstraints) Sub-CA is
  operated by a non-Affiliated entity. The requirements around
  Affiliation are now folded into a common section, rather than being
  two sections.
- Although not permitted by the current BRs, the cPSuri is now
  explicitly allowed for all certificate policies (_including_ for
  anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
  OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
  for OCSP Responders.

Clarifications:
- A note is added to the OCSP Responder section explaining that
  because CPs limit the validity and purposes of a certificate, it
  becomes possible to create an "invalid" responder that clients will
  reject (and thus also reject responses), and that this is part of
  the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
  leaf certificates had a slightly different wording: whether a given
  CP needed to be documented by the CA (e.g. could be any policy,
  including a reserved CP or anyPolicy) or needed to be _defined_ and
  documented by the CA (i.e. must be from the CA's own OID arc). This
  harmonizes the language for TLS ("defined by"), while still leaving a
  fairly large carveout for non-TLS ("documented").

* Changes to Key Usage values for Subscriber Certificates (#376)

Changing dataEncipherment for RSA and KeyAgreement for ECC to not recommended.

* Definitions Update - Pending Prohibition (#388)

* Add single all-encompassing effective date (#381)

* Add single all-encompassing effective date

* Integrate discussion from 2022-08-25 VSC call

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Add specification for EV attributes (#391)

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update to allow multiple instances of subject attributes (#392)

* Update to allow multiple instances of subject attributes

To allow for multiple instances of the domainContact attributes until we can address at an upcoming ballot.

* Specific exceptions for attributes with multiple instances

Allow multiple instances of the same attribute for `streetAddress` and `domainComponent`.
For the latter, language from [ballot 102](https://cabforum.org/2013/05/31/ballot-102-br-9-2-3-domaincomponent/) was used.

* Correct IV streetAddress multiple instances

For consistency allow multiple instances for the `streetAddress` attribute in IV Certificates.

* Update docs/BR.md

Improved language for the domainComponent

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Add order and encoding requirement for DC attribute (#395)

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Clarify OUs in CA Certificates (#398)

* Clarify that OUs are not allowed for CA Certificates described in section 7.1.2.3 per conversation in https://lists.cabforum.org/pipermail/validation/2022-October/001812.html.

Added an effective date of 2022-12-12 which can be updated as needed.

* Fix typo with quotes

* Update based on F2F 57

- Removal of OU validation rules prior to 2022-12-12 because it includes non-TLS Issuing CAs
- Clarification that the "MUST NOT" for OUs after 2022-12-12 also applies to Root CA Certificates and TLS Subordinate CA Certificates

* fix effective date

* Fix references and adding the two types of TLS CAs

* Improve language around OUs in CA Certificates

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Capitalize "CA certificates" for consistency

* Fix typo

Fix typo based on https://github.com/cabforum/servercert/pull/398#discussion_r1013037979

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Minor fixes and cleanups (#399)

* Add order and encoding requirement for DC attribute

* Remove overly specific Cross-cert requirement; fix serialNumber encoding

* Clarify NC exclusion

* Remove "Domain Name or IP Address" validation requirement for now

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Integrate newer ballots (#406)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Integrate SC-56 and SC-58 (#409)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC-56: 2022 Cleanup (#401)

* SC-56: 2022 Cleanup (#385)

Ballot has passed; moving to SC56 branch for IPR

* #340

* #339

* #333

* #318

* #315

* #312

* #309

* #275

* #344

* #345

* #378

* #380

* #287

* #300

* #259

* #284

* #277

* #311

* #310

* Remove historical effective dates

* #196

* #251

* #212

* #386

* Grammatical improvement suggested by Wendy Brown

* Remove text for retired methods

* Switch to new tables tooling

* Fix broken section references

* Bump upload-artifact version

* Linkify US denied persons/entities list URLs

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update effective dates and tables

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-58: Require distributionPoint in sharded CRLs (#396) (#403)

* SC-58: Require distributionPoint in sharded CRLs (#396)

* SC-XX: Require distributionPoint in sharded CRLs

The language in RFC 5280 regarding the interaction between the
distributionPoint field of the Issuing Distribution Point CRL extension
and the existence of sharded CRLs has led to significant debate on
interpretation, and appears to contradict X.509.

To protect against replacement attacks, make it explicitly clear that
the Issuing Distribution Point extension and distributionPoint field are
required for sharded or partitioned CRLs.

* Remind readers that the IDP must be critical

* Change effective date to Jan 15

* Change effective date in Section 1.2 table, too

* Update BR.md

Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

* This PR fixes issues in section 7.1.2.7.3 and 7.1.2.7.4. (#416)

* Profiles extended effective date (#413)

* Update BR.md

* Update BR.md

* Add policyQualifiers Note (#412)

* Add policyQualifiers Note

Added explanation of rationale for NOT RECOMMENDED to section 7.1.2.10.5

* Update docs/BR.md

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* SC-062 Profiles: Address various editorial and content nits (#418)

* Use unicode figure space for table indentation

* Use unicode superscript for exponentiation

* Fix surname_givenname footnote link

* Use approx instead of e.g. for approximate years

* Include profile name in subsection titles

* Reduce table duplication in 7.1.2.2.3

* Explain criticality of Subscriber SAN in-line

* Unify language in 7.1.2.7.12

* Unify language around NULL extension values

* Simplify CRL Distribution Point tables

* Cross-Certification establishes trust between any two CAs

* Fix AuthorityInfoAccessSyntax name

* More flexible Certificate Policy OID definitions

* Close two precertificates with same serial loophole

* fix basicConstraints empty value

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Fix upper bound for organizational-unit-name

[RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#:~:text=ub%2Dorganizational%2Dunit%2Dname%20INTEGER%20%3A%3A%3D%2064) defines 64 characters as the upper bound for ub-organizational-unit-name.

* Fix typo: "committment" --> "commitment" (#2)

* Clarify Cross-Certificate EKU Requirements  (#3)

---------

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>

* Fix broken links (#427)

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md (#429)

---------

Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: AnetaWojtczak <104534364+AnetaWojtczak@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
ryancdickson pushed a commit to ryancdickson/staging that referenced this pull request Apr 25, 2023
* Update README (cabforum#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (cabforum#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (cabforum#282) (cabforum#290)

* SC47 Sunset subject:organizationalUnitName (cabforum#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (cabforum#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (cabforum#285) (cabforum#302)

* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (cabforum#328)

* SC50 - Remove the requirements of 4.1.1 (cabforum#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (cabforum#330) (cabforum#338)

* Sunset SHA-1 for OCSP signing (cabforum#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (cabforum#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (cabforum#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (cabforum#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (cabforum#369)

* SC-54: Onion cleanup (cabforum#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses cabforum#240. Things are signed using private, not public keys.

* Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (cabforum#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses cabforum#240. Things are signed using private, not public keys.

* Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
barrini pushed a commit that referenced this pull request Jul 17, 2023
…n / Short-Lived Certificates (#414)

* Profiles WIP

* Clarify AIA based on 2021-06-12 call

AIA allows multiple methods, and multiple instances of each method.
However, client implementations use the ordering to indicate priority,
as per RFC 5280, so clarify the requirements for multiple
AccessDescriptions with the same accessMethod.

* Address basicConstraints for OCSP Responder feedback

Rather than make basicConstraints MUST, make it a MAY, to allow
omission (plus v3) or presence (but empty) to indicate that it is not
a CA certificate.

* Address the "any other value" situations with 7.1.2.4 language

This adopts the language from 7.1.2.4 to the various extensibility
points, by trying to explicitly clarify as appropriate as to what is
permitted.

* Fix the certificatePolicies mismatched highlighted by Corey

* Change SHOULD NOT to NOT RECOMMENDED

While RFC 2119 establishes that these two phrases are semantically
equivalent, it's been suggested that this may resolve some anxiety
around misinterpretations of SHOULD NOT as SHALL NOT, particularly
by auditors.

By changing this to NOT RECOMMENDED, the same guidance is preserved,
but it hopefully makes it more palatable to CAs.

See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830
for related discussion.

* Remove dnsSRV and cleanup otherName handling

This removes the (buggy) description of DNS SRV and leaves it overall
as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements.
It also fixes up a typo (extension OID -> type-id)

* Formatting fix

* Move the Non-TLS EKU requirement into the Non-TLS profile

Originally it was part of the common fields, when there were multiple
variations of non-TLS CAs. However, as there is only a single
reference to this section, fold it in to the non-TLS profile.

This hopefully makes it clearer about the EKU requirements for
non-TLS CAs (being what defines something as non-TLS), and reduces
some confusion around non-TLS and TLS common sections.

* Redo Certificate Policies for Non-TLS CAs

The existing language was buggy, in that a link target was updated, but
not the section heading. However, it was further buggy due to the
interactions between Affiliated and Non-Affiliated CAs.

This overhauls it in line with the November and F2F discussions; unlike
many of the other extensions in this section (which are dictated by RFC
5280 as being mandatory for certain situations), certificatePolicies is
not, so this is demoted to a MAY.

However, the language from RFC 5280 does set out some guidance - such
as not recommending that a policyQualifier be present - and so that
requirement is preserved, under the argument that a non-TLS CA should
still align with RFC 5280 if issued under a BR CA.

This does *remove* an existing BR requirement, namely those inherited
from Section 7.1.6.3, but since that seemed to align with the intent
of the SCWG, this should be a positive change.

* Naming Cleanup

This moves the metadata prohibition and domain name prohibition from
applying to all certificates to only applying to Subscriber certificates
(and in particular, to IV/OV/EV).

This also corrects the organizationalUnit name to reflect SC47v2.

* Formatting & Section Heading fixes

This fixes a few unnumbered sections (around validity periods)
and adjusts the formatting for several tables to better accomodate
the text.

* Fix a bug in non-TLS technically constrained CAs

For non-TLS CAs, don't allow them to assert the BR's CP OIDs,
as the certificates will not be BR compliant.

* Redo Certificate Policies

This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:

Relaxations:

- Reserved Policy OID is * no longer* required to be first, but is
  RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
  policies is removed. This was introduced for Cross-Certified
  Sub-CAs, but resulted in some ambiguity about what happens when a
  Technically Constrained (non-TLS or nameConstraints) Sub-CA is
  operated by a non-Affiliated entity. The requirements around
  Affiliation are now folded into a common section, rather than being
  two sections.
- Although not permitted by the current BRs, the cPSuri is now
  explicitly allowed for all certificate policies (_including_ for
  anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
  OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
  for OCSP Responders.

Clarifications:
- A note is added to the OCSP Responder section explaining that
  because CPs limit the validity and purposes of a certificate, it
  becomes possible to create an "invalid" responder that clients will
  reject (and thus also reject responses), and that this is part of
  the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
  leaf certificates had a slightly different wording: whether a given
  CP needed to be documented by the CA (e.g. could be any policy,
  including a reserved CP or anyPolicy) or needed to be _defined_ and
  documented by the CA (i.e. must be from the CA's own OID arc). This
  harmonizes the language for TLS ("defined by"), while still leaving a
  fairly large carveout for non-TLS ("documented").

* Minor fixes and cleanups (#399)

* Add order and encoding requirement for DC attribute

* Remove overly specific Cross-cert requirement; fix serialNumber encoding

* Clarify NC exclusion

* Remove "Domain Name or IP Address" validation requirement for now

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Integrate newer ballots (#406)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023).

* Update BR.md

Address Comments:
- #402 (comment) (added "CRL")
- #414 (comment) (as suggested)

* Align with BRs

Inadvertent numbering change.

* Update BR.md

Add consideration for a phased reduction of short-lived subscriber certificate validity. 

(in response to #414 (comment))

* Update BR.md

Cleaning-up proposal in advance of discussion.

* Update EVG.md

[clean-up diff, this file was not intentionally modified in the PR]

* Update BR.md

[clean-up]

* Update BR.md

[cleanup]

* Update BR.md

* Update BR.md

* Update BR.md

begin integrating SC-61 language.

* integrate sc61

* Update BR.md

continue tweaking to include sc61

* Update BR.md

improve readability

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

correct spelling error

* Update BR.md

* Update BR.md

typo

* Update BR.md

* Update BR.md

* Update BR.md

* Improve specificity of CRL issuance frequency

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

Typo (thanks, Wendy!)

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

* Update BR.md

* Update BR.md

Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days."

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

"twenty four" -> "twenty-four"

* Update BR.md

* Add provision to handle nonces per RFC8954

* Update BR.md

Improve readability.

* Update BR.md

* Update BR.md

* Update BR.md

CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates.

This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise).

* Address comment from Rob

* Clean up language

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Address formatting nits

* Address table formatting nits.

* Remove redundant language re: nextUpdate

* Clarify use of "unspecified" CRL Reason Code

* Clarify IDP

* (Further) Clarify IDP

* Update BR.md

Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly.

* Update BR.md

Nits.

---------

Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>
barrini added a commit that referenced this pull request Aug 29, 2023
#441)

* Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414)

* Profiles WIP

* Clarify AIA based on 2021-06-12 call

AIA allows multiple methods, and multiple instances of each method.
However, client implementations use the ordering to indicate priority,
as per RFC 5280, so clarify the requirements for multiple
AccessDescriptions with the same accessMethod.

* Address basicConstraints for OCSP Responder feedback

Rather than make basicConstraints MUST, make it a MAY, to allow
omission (plus v3) or presence (but empty) to indicate that it is not
a CA certificate.

* Address the "any other value" situations with 7.1.2.4 language

This adopts the language from 7.1.2.4 to the various extensibility
points, by trying to explicitly clarify as appropriate as to what is
permitted.

* Fix the certificatePolicies mismatched highlighted by Corey

* Change SHOULD NOT to NOT RECOMMENDED

While RFC 2119 establishes that these two phrases are semantically
equivalent, it's been suggested that this may resolve some anxiety
around misinterpretations of SHOULD NOT as SHALL NOT, particularly
by auditors.

By changing this to NOT RECOMMENDED, the same guidance is preserved,
but it hopefully makes it more palatable to CAs.

See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830
for related discussion.

* Remove dnsSRV and cleanup otherName handling

This removes the (buggy) description of DNS SRV and leaves it overall
as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements.
It also fixes up a typo (extension OID -> type-id)

* Formatting fix

* Move the Non-TLS EKU requirement into the Non-TLS profile

Originally it was part of the common fields, when there were multiple
variations of non-TLS CAs. However, as there is only a single
reference to this section, fold it in to the non-TLS profile.

This hopefully makes it clearer about the EKU requirements for
non-TLS CAs (being what defines something as non-TLS), and reduces
some confusion around non-TLS and TLS common sections.

* Redo Certificate Policies for Non-TLS CAs

The existing language was buggy, in that a link target was updated, but
not the section heading. However, it was further buggy due to the
interactions between Affiliated and Non-Affiliated CAs.

This overhauls it in line with the November and F2F discussions; unlike
many of the other extensions in this section (which are dictated by RFC
5280 as being mandatory for certain situations), certificatePolicies is
not, so this is demoted to a MAY.

However, the language from RFC 5280 does set out some guidance - such
as not recommending that a policyQualifier be present - and so that
requirement is preserved, under the argument that a non-TLS CA should
still align with RFC 5280 if issued under a BR CA.

This does *remove* an existing BR requirement, namely those inherited
from Section 7.1.6.3, but since that seemed to align with the intent
of the SCWG, this should be a positive change.

* Naming Cleanup

This moves the metadata prohibition and domain name prohibition from
applying to all certificates to only applying to Subscriber certificates
(and in particular, to IV/OV/EV).

This also corrects the organizationalUnit name to reflect SC47v2.

* Formatting & Section Heading fixes

This fixes a few unnumbered sections (around validity periods)
and adjusts the formatting for several tables to better accomodate
the text.

* Fix a bug in non-TLS technically constrained CAs

For non-TLS CAs, don't allow them to assert the BR's CP OIDs,
as the certificates will not be BR compliant.

* Redo Certificate Policies

This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:

Relaxations:

- Reserved Policy OID is * no longer* required to be first, but is
  RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
  policies is removed. This was introduced for Cross-Certified
  Sub-CAs, but resulted in some ambiguity about what happens when a
  Technically Constrained (non-TLS or nameConstraints) Sub-CA is
  operated by a non-Affiliated entity. The requirements around
  Affiliation are now folded into a common section, rather than being
  two sections.
- Although not permitted by the current BRs, the cPSuri is now
  explicitly allowed for all certificate policies (_including_ for
  anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
  OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
  for OCSP Responders.

Clarifications:
- A note is added to the OCSP Responder section explaining that
  because CPs limit the validity and purposes of a certificate, it
  becomes possible to create an "invalid" responder that clients will
  reject (and thus also reject responses), and that this is part of
  the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
  leaf certificates had a slightly different wording: whether a given
  CP needed to be documented by the CA (e.g. could be any policy,
  including a reserved CP or anyPolicy) or needed to be _defined_ and
  documented by the CA (i.e. must be from the CA's own OID arc). This
  harmonizes the language for TLS ("defined by"), while still leaving a
  fairly large carveout for non-TLS ("documented").

* Minor fixes and cleanups (#399)

* Add order and encoding requirement for DC attribute

* Remove overly specific Cross-cert requirement; fix serialNumber encoding

* Clarify NC exclusion

* Remove "Domain Name or IP Address" validation requirement for now

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Integrate newer ballots (#406)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023).

* Update BR.md

Address Comments:
- #402 (comment) (added "CRL")
- #414 (comment) (as suggested)

* Align with BRs

Inadvertent numbering change.

* Update BR.md

Add consideration for a phased reduction of short-lived subscriber certificate validity. 

(in response to #414 (comment))

* Update BR.md

Cleaning-up proposal in advance of discussion.

* Update EVG.md

[clean-up diff, this file was not intentionally modified in the PR]

* Update BR.md

[clean-up]

* Update BR.md

[cleanup]

* Update BR.md

* Update BR.md

* Update BR.md

begin integrating SC-61 language.

* integrate sc61

* Update BR.md

continue tweaking to include sc61

* Update BR.md

improve readability

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

correct spelling error

* Update BR.md

* Update BR.md

typo

* Update BR.md

* Update BR.md

* Update BR.md

* Improve specificity of CRL issuance frequency

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

Typo (thanks, Wendy!)

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

* Update BR.md

* Update BR.md

Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days."

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

"twenty four" -> "twenty-four"

* Update BR.md

* Add provision to handle nonces per RFC8954

* Update BR.md

Improve readability.

* Update BR.md

* Update BR.md

* Update BR.md

CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates.

This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise).

* Address comment from Rob

* Clean up language

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Address formatting nits

* Address table formatting nits.

* Remove redundant language re: nextUpdate

* Clarify use of "unspecified" CRL Reason Code

* Clarify IDP

* (Further) Clarify IDP

* Update BR.md

Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly.

* Update BR.md

Nits.

---------

Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

---------

Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>
vanbroup added a commit to vanbroup/documents that referenced this pull request Dec 20, 2023
* Profiles WIP

* Clarify AIA based on 2021-06-12 call

AIA allows multiple methods, and multiple instances of each method.
However, client implementations use the ordering to indicate priority,
as per RFC 5280, so clarify the requirements for multiple
AccessDescriptions with the same accessMethod.

* Address basicConstraints for OCSP Responder feedback

Rather than make basicConstraints MUST, make it a MAY, to allow
omission (plus v3) or presence (but empty) to indicate that it is not
a CA certificate.

* Address cRLDistributionPoints

As captured on
https://archive.cabforum.org/pipermail/validation/2021-July/001675.html
provide better guidance for the encoding of cRLDistributionPoints and
the permitted protocols.

* Fix broken link and better clarify WIP sections

* Clarify OCSP and other EKUs

Non-TLS CAs MUST NOT include id-kp-OCSPSigning, since this would
potentially make them OCSP signers for the issuing CA. Similarly,
with respect to non-TLS CAs, it's fine (and useful!) to use other
EKUs, so this is a MAY (or possibly SHOULD), not a SHOULD NOT.

* Remove stale FIXME regarding serial numbers

* Introduce Precertificate Signing CA Profile

A Precertificate Signing CA, ontologically, a type of Technically
Constrained Non-TLS Sub-CA, by virtue of the Extended Key Usage. To
avoid ambiguity, this introduces a profile specific for Precert Signing
CAs that make it clear that the Precert Signing EKU MUST be the only EKU
present, to avoid a situation similar to that seen with OCSP responders.

RFC 6962 is somewhat fast and loose with respect to whether or not
"CA:true" is required in the profile for these, but in practice,
implementations of logs, and existing CAs, do expect CA:true.

Although not meant to be a normative change from the existing practices
and consequences of existing requirements, it does make explicit that
such CAs MUST only sign Precertificates; although this is less critical
given the EKU constraint (to being a singular EKU), it represents a
defense in depth approach consistent with existing practice.

* Align postalCode/streetAddress hierarchy

As pointed out by DigiCert, postal code represents a greater enclosing
area than the street address, and thus hierarchically should appear
first.

* Fix nameConstraints for TLS subCAs

They were accidentally a MUST, when they should have been a MAY. Bad
copy/paste.

* Bump OCSP placeholder dates for cert policies

Move the effective date to 6 months from now; will likely continue to
move as we finalize things, but offers a placeholder to handling
effective dates.

* Make cRLDP MUST NOT for OCSP Responders

As pointed out by Corey, an id-pkix-ocsp-nocheck should be expected to
disable all revocation checking (not just recursive OCSP revocation
checking), so it makes sense to MUST NOT the cRLDP for the OCSP
Responder, since we MUST nocheck.

* Fix typo -> MMAY to MAY

* Precertificates and Precertificate Signing CAs

This introduces the notion of Precertificates and Precertificate
Signing CAs as part of the Profiles, and captures the existing
requirements from RFC 6962. It defines a Precertificate as based
on a transformation of an existing Certificate conforming to one
of the profiles, as opposed to attempting to define variants for
every version or how to construct a Precertificate for a given
profile.

This attempts to similarly capture that, for purposes of compliance,
a Precertificate is treated as if there is an equivalent Certificate,
by reflecting that Precertificates need to match a Certificate based
on the transformations defined, and that the Certificates need to
match the profiles defined.

* Address validity periods

This attempts to clarify when/how backdating is allowed, particularly
since it may affect path building. It gives a generous period for CA
backdating when the distinguishedName remains the same, but may be
imperfect if the keys are changing.

* Address the "any other value" situations with 7.1.2.4 language

This adopts the language from 7.1.2.4 to the various extensibility
points, by trying to explicitly clarify as appropriate as to what is
permitted.

* Fix the certificatePolicies mismatched highlighted by Corey

* Formatting and plurality fixup

* Change SHOULD NOT to NOT RECOMMENDED

While RFC 2119 establishes that these two phrases are semantically
equivalent, it's been suggested that this may resolve some anxiety
around misinterpretations of SHOULD NOT as SHALL NOT, particularly
by auditors.

By changing this to NOT RECOMMENDED, the same guidance is preserved,
but it hopefully makes it more palatable to CAs.

See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830
for related discussion.

* Clarify subject name rules & add effective date

This restructures the naming rules to try to clarify:
- That technically constrained non-TLS sub-CAs are in-scope, but the
  certificates they issue are not
- That the rules about byte-for-byte apply for all certificates in
  scope
- That the requirements for the ordering and sequencing of names is
  a forward-dated requirement. Although it can be argued that some
  of these are existing requirements, avoid any messiness by
  structuring it holistically.
- Adds a note to 7.1.4 to call out that 7.1.2.2.1 provides an
  exception
- State the exception in 7.1.2.2.1 both normatively and informatively,
  to try and avoid misinterpretation.

This was based on Corey's feedback in
https://github.com/sleevi/cabforum-docs/pull/36/files#r689880007

* Remove dnsSRV and cleanup otherName handling

This removes the (buggy) description of DNS SRV and leaves it overall
as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements.
It also fixes up a typo (extension OID -> type-id)

* Formatting fix

* Move the Non-TLS EKU requirement into the Non-TLS profile

Originally it was part of the common fields, when there were multiple
variations of non-TLS CAs. However, as there is only a single
reference to this section, fold it in to the non-TLS profile.

This hopefully makes it clearer about the EKU requirements for
non-TLS CAs (being what defines something as non-TLS), and reduces
some confusion around non-TLS and TLS common sections.

* Redo Certificate Policies for Non-TLS CAs

The existing language was buggy, in that a link target was updated, but
not the section heading. However, it was further buggy due to the
interactions between Affiliated and Non-Affiliated CAs.

This overhauls it in line with the November and F2F discussions; unlike
many of the other extensions in this section (which are dictated by RFC
5280 as being mandatory for certain situations), certificatePolicies is
not, so this is demoted to a MAY.

However, the language from RFC 5280 does set out some guidance - such
as not recommending that a policyQualifier be present - and so that
requirement is preserved, under the argument that a non-TLS CA should
still align with RFC 5280 if issued under a BR CA.

This does *remove* an existing BR requirement, namely those inherited
from Section 7.1.6.3, but since that seemed to align with the intent
of the SCWG, this should be a positive change.

* Make PolicyIdentifier ordering optional

This makes the requirement for the Reserved Policy Identifier
to be the first policyIdentifier optional, while explaining with
a note the basis for that logic. To avoid confusion, it makes it
clear that only one instance of a Reserved Policy Identifier may
be present (e.g. can't be simultaneously OV and EV)

* Indicate a max for serial numbers

This incorporates Corey's
https://github.com/sleevi/cabforum-docs/pull/39/commits/04c55a4cdf2f6ea068bd1f743a83b60def34dcae

* Try to address the SKI uniqueness

The approach to SKI uniqueness was flagged as ambigous, and two options
were presented:
  - Option 1, mandate the SKI generation algorithm
  - Option 2, clarify that it's only unique "for the CA"

Option 2 still has security risks with respect to denial of service,
but CAs were unsure about when Option 1 would b eimplementable (e.g.
if mandating SHA-2, CA software that uses SHA-1 would need to be
updated).

For now, this goes with Option 2, although a mandatory algorithm would
resolve the issues wholesale.

This is adapted from Corey Bonnell's
https://github.com/sleevi/cabforum-docs/pull/39/commits/41cb3063b41af69615bba5410279396994d2ebc0

* Allow backdating up to 48 hours

This adopts a 48 hour window, as proposed in
https://github.com/sleevi/cabforum-docs/pull/39/commits/816ad7aa79cbfc1315561590d89ed7a9fd076b97

* Naming Cleanup

This moves the metadata prohibition and domain name prohibition from
applying to all certificates to only applying to Subscriber certificates
(and in particular, to IV/OV/EV).

This also corrects the organizationalUnit name to reflect SC47v2.

* Harmonize effective dates to 2022-11-01

This only affects the certificatePolicies for OCSP Responders and
the naming rules (for all certificates), but shifts to a harmonized
date.

* Formatting & Section Heading fixes

This fixes a few unnumbered sections (around validity periods)
and adjusts the formatting for several tables to better accomodate
the text.

* OrganizationalUnitName fixups

Fixup the OU field

* Remove stale TODO/TBDs

* Fix a bug in non-TLS technically constrained CAs

For non-TLS CAs, don't allow them to assert the BR's CP OIDs,
as the certificates will not be BR compliant.

* CT Cleanups

In order for the precertificate signing CA to be considered
technically constrained, restrict its EKU to only permitting it
to issue precertificates.

Additionally, add a cross-reference and tweak a MAY to a may, as the
paragraph that follows the MAY contains the actual normative
requirement, and this is just an informative explainer.

* Remove rfc822Name from TLS technically constrained CAs

rfc822Name is allowed, and described, in 7.1.2.10.9, as its a
translation of the requirements of 3.2.2.4/3.2.2.5/7.1.2.4 of the
existing BRs, and there are some CA profiles that allow non-TLS
EKUs to be present (for ex, cross-certification).

For technically constrained TLS sub-CAs, it was originally present
because of Mozilla Root Store Policy, Section 1.1, which requires
out-of-scope CAs to constrain on that name type. However, since
a TCSC TLS CA MUST NOT include EKUs other than serverAuth &
clientAuth, it was seen as unnecessary to even allow rfc822Name.

* Clarify Precert language

This clarifies the language around precerts by:

* harmonizing on 'corresponding Certificate' instead of 'equivalent
  Certificate'
* changing 'byte-for-byte equivalent' to 'byte-for-byte identical'
  to avoid any ambiguity
* Rewording the AKI section when using a Precert Signing CA, to avoid
  stating the same requirement several ways that might be read as
  giving conflicting or different guidance, and RECOMMENDING/SHOULD
  harmonizing on the AKI containing the Precert Signing CA's SKI,
  as the Log is expected to transform and substitute (and all
  observed logs appear to do so).

* Redo Certificate Policies

This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:

Relaxations:

- Reserved Policy OID is * no longer* required to be first, but is
  RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
  policies is removed. This was introduced for Cross-Certified
  Sub-CAs, but resulted in some ambiguity about what happens when a
  Technically Constrained (non-TLS or nameConstraints) Sub-CA is
  operated by a non-Affiliated entity. The requirements around
  Affiliation are now folded into a common section, rather than being
  two sections.
- Although not permitted by the current BRs, the cPSuri is now
  explicitly allowed for all certificate policies (_including_ for
  anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
  OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
  for OCSP Responders.

Clarifications:
- A note is added to the OCSP Responder section explaining that
  because CPs limit the validity and purposes of a certificate, it
  becomes possible to create an "invalid" responder that clients will
  reject (and thus also reject responses), and that this is part of
  the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
  leaf certificates had a slightly different wording: whether a given
  CP needed to be documented by the CA (e.g. could be any policy,
  including a reserved CP or anyPolicy) or needed to be _defined_ and
  documented by the CA (i.e. must be from the CA's own OID arc). This
  harmonizes the language for TLS ("defined by"), while still leaving a
  fairly large carveout for non-TLS ("documented").

* Changes to Key Usage values for Subscriber Certificates (#376)

Changing dataEncipherment for RSA and KeyAgreement for ECC to not recommended.

* Definitions Update - Pending Prohibition (#388)

* Add single all-encompassing effective date (#381)

* Add single all-encompassing effective date

* Integrate discussion from 2022-08-25 VSC call

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Add specification for EV attributes (#391)

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update to allow multiple instances of subject attributes (#392)

* Update to allow multiple instances of subject attributes

To allow for multiple instances of the domainContact attributes until we can address at an upcoming ballot.

* Specific exceptions for attributes with multiple instances

Allow multiple instances of the same attribute for `streetAddress` and `domainComponent`.
For the latter, language from [ballot 102](https://cabforum.org/2013/05/31/ballot-102-br-9-2-3-domaincomponent/) was used.

* Correct IV streetAddress multiple instances

For consistency allow multiple instances for the `streetAddress` attribute in IV Certificates.

* Update docs/BR.md

Improved language for the domainComponent

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Add order and encoding requirement for DC attribute (#395)

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Clarify OUs in CA Certificates (#398)

* Clarify that OUs are not allowed for CA Certificates described in section 7.1.2.3 per conversation in https://lists.cabforum.org/pipermail/validation/2022-October/001812.html.

Added an effective date of 2022-12-12 which can be updated as needed.

* Fix typo with quotes

* Update based on F2F 57

- Removal of OU validation rules prior to 2022-12-12 because it includes non-TLS Issuing CAs
- Clarification that the "MUST NOT" for OUs after 2022-12-12 also applies to Root CA Certificates and TLS Subordinate CA Certificates

* fix effective date

* Fix references and adding the two types of TLS CAs

* Improve language around OUs in CA Certificates

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Capitalize "CA certificates" for consistency

* Fix typo

Fix typo based on https://github.com/cabforum/servercert/pull/398#discussion_r1013037979

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Minor fixes and cleanups (#399)

* Add order and encoding requirement for DC attribute

* Remove overly specific Cross-cert requirement; fix serialNumber encoding

* Clarify NC exclusion

* Remove "Domain Name or IP Address" validation requirement for now

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Integrate newer ballots (#406)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Integrate SC-56 and SC-58 (#409)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](https://github.com/Kozea/CairoSVG/compare/1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

# Voting Results 

The voting on ballot SC54 has completed, and the ballot has passed.
 
Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions
 
Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.
 
This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

# Commit History

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to https://github.com/cabforum/servercert/issues/191#issuecomment-827810409,  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785b2fd6a3fe0957434f9d13b13a47d4d19b.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC-56: 2022 Cleanup (#401)

* SC-56: 2022 Cleanup (#385)

Ballot has passed; moving to SC56 branch for IPR

* #340

* #339

* #333

* #318

* #315

* #312

* #309

* #275

* #344

* #345

* #378

* #380

* #287

* #300

* #259

* #284

* #277

* #311

* #310

* Remove historical effective dates

* #196

* #251

* #212

* #386

* Grammatical improvement suggested by Wendy Brown

* Remove text for retired methods

* Switch to new tables tooling

* Fix broken section references

* Bump upload-artifact version

* Linkify US denied persons/entities list URLs

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update effective dates and tables

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-58: Require distributionPoint in sharded CRLs (#396) (#403)

* SC-58: Require distributionPoint in sharded CRLs (#396)

* SC-XX: Require distributionPoint in sharded CRLs

The language in RFC 5280 regarding the interaction between the
distributionPoint field of the Issuing Distribution Point CRL extension
and the existence of sharded CRLs has led to significant debate on
interpretation, and appears to contradict X.509.

To protect against replacement attacks, make it explicitly clear that
the Issuing Distribution Point extension and distributionPoint field are
required for sharded or partitioned CRLs.

* Remind readers that the IDP must be critical

* Change effective date to Jan 15

* Change effective date in Section 1.2 table, too

* Update BR.md

Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>

* This PR fixes issues in section 7.1.2.7.3 and 7.1.2.7.4. (#416)

* Profiles extended effective date (#413)

* Update BR.md

* Update BR.md

* Add policyQualifiers Note (#412)

* Add policyQualifiers Note

Added explanation of rationale for NOT RECOMMENDED to section 7.1.2.10.5

* Update docs/BR.md

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* SC-062 Profiles: Address various editorial and content nits (#418)

* Use unicode figure space for table indentation

* Use unicode superscript for exponentiation

* Fix surname_givenname footnote link

* Use approx instead of e.g. for approximate years

* Include profile name in subsection titles

* Reduce table duplication in 7.1.2.2.3

* Explain criticality of Subscriber SAN in-line

* Unify language in 7.1.2.7.12

* Unify language around NULL extension values

* Simplify CRL Distribution Point tables

* Cross-Certification establishes trust between any two CAs

* Fix AuthorityInfoAccessSyntax name

* More flexible Certificate Policy OID definitions

* Close two precertificates with same serial loophole

* fix basicConstraints empty value

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Fix upper bound for organizational-unit-name

[RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#:~:text=ub%2Dorganizational%2Dunit%2Dname%20INTEGER%20%3A%3A%3D%2064) defines 64 characters as the upper bound for ub-organizational-unit-name.

* Fix typo: "committment" --> "commitment" (#2)

* Clarify Cross-Certificate EKU Requirements  (#3)

---------

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>

* Fix broken links (#427)

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md (#429)

---------

Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: AnetaWojtczak <104534364+AnetaWojtczak@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Iñigo Barreira <92998585+barrini@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
vanbroup added a commit to vanbroup/documents that referenced this pull request Dec 20, 2023
cabforum#441)

* Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (cabforum#414)

* Profiles WIP

* Clarify AIA based on 2021-06-12 call

AIA allows multiple methods, and multiple instances of each method.
However, client implementations use the ordering to indicate priority,
as per RFC 5280, so clarify the requirements for multiple
AccessDescriptions with the same accessMethod.

* Address basicConstraints for OCSP Responder feedback

Rather than make basicConstraints MUST, make it a MAY, to allow
omission (plus v3) or presence (but empty) to indicate that it is not
a CA certificate.

* Address the "any other value" situations with 7.1.2.4 language

This adopts the language from 7.1.2.4 to the various extensibility
points, by trying to explicitly clarify as appropriate as to what is
permitted.

* Fix the certificatePolicies mismatched highlighted by Corey

* Change SHOULD NOT to NOT RECOMMENDED

While RFC 2119 establishes that these two phrases are semantically
equivalent, it's been suggested that this may resolve some anxiety
around misinterpretations of SHOULD NOT as SHALL NOT, particularly
by auditors.

By changing this to NOT RECOMMENDED, the same guidance is preserved,
but it hopefully makes it more palatable to CAs.

See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830
for related discussion.

* Remove dnsSRV and cleanup otherName handling

This removes the (buggy) description of DNS SRV and leaves it overall
as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements.
It also fixes up a typo (extension OID -> type-id)

* Formatting fix

* Move the Non-TLS EKU requirement into the Non-TLS profile

Originally it was part of the common fields, when there were multiple
variations of non-TLS CAs. However, as there is only a single
reference to this section, fold it in to the non-TLS profile.

This hopefully makes it clearer about the EKU requirements for
non-TLS CAs (being what defines something as non-TLS), and reduces
some confusion around non-TLS and TLS common sections.

* Redo Certificate Policies for Non-TLS CAs

The existing language was buggy, in that a link target was updated, but
not the section heading. However, it was further buggy due to the
interactions between Affiliated and Non-Affiliated CAs.

This overhauls it in line with the November and F2F discussions; unlike
many of the other extensions in this section (which are dictated by RFC
5280 as being mandatory for certain situations), certificatePolicies is
not, so this is demoted to a MAY.

However, the language from RFC 5280 does set out some guidance - such
as not recommending that a policyQualifier be present - and so that
requirement is preserved, under the argument that a non-TLS CA should
still align with RFC 5280 if issued under a BR CA.

This does *remove* an existing BR requirement, namely those inherited
from Section 7.1.6.3, but since that seemed to align with the intent
of the SCWG, this should be a positive change.

* Naming Cleanup

This moves the metadata prohibition and domain name prohibition from
applying to all certificates to only applying to Subscriber certificates
(and in particular, to IV/OV/EV).

This also corrects the organizationalUnit name to reflect SC47v2.

* Formatting & Section Heading fixes

This fixes a few unnumbered sections (around validity periods)
and adjusts the formatting for several tables to better accomodate
the text.

* Fix a bug in non-TLS technically constrained CAs

For non-TLS CAs, don't allow them to assert the BR's CP OIDs,
as the certificates will not be BR compliant.

* Redo Certificate Policies

This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:

Relaxations:

- Reserved Policy OID is * no longer* required to be first, but is
  RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
  policies is removed. This was introduced for Cross-Certified
  Sub-CAs, but resulted in some ambiguity about what happens when a
  Technically Constrained (non-TLS or nameConstraints) Sub-CA is
  operated by a non-Affiliated entity. The requirements around
  Affiliation are now folded into a common section, rather than being
  two sections.
- Although not permitted by the current BRs, the cPSuri is now
  explicitly allowed for all certificate policies (_including_ for
  anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
  OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
  for OCSP Responders.

Clarifications:
- A note is added to the OCSP Responder section explaining that
  because CPs limit the validity and purposes of a certificate, it
  becomes possible to create an "invalid" responder that clients will
  reject (and thus also reject responses), and that this is part of
  the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
  leaf certificates had a slightly different wording: whether a given
  CP needed to be documented by the CA (e.g. could be any policy,
  including a reserved CP or anyPolicy) or needed to be _defined_ and
  documented by the CA (i.e. must be from the CA's own OID arc). This
  harmonizes the language for TLS ("defined by"), while still leaving a
  fairly large carveout for non-TLS ("documented").

* Minor fixes and cleanups (cabforum#399)

* Add order and encoding requirement for DC attribute

* Remove overly specific Cross-cert requirement; fix serialNumber encoding

* Clarify NC exclusion

* Remove "Domain Name or IP Address" validation requirement for now

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Integrate newer ballots (cabforum#406)

* Update README (cabforum#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (cabforum#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (cabforum#282) (cabforum#290)

* SC47 Sunset subject:organizationalUnitName (cabforum#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (cabforum#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (cabforum#285) (cabforum#302)

* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (cabforum#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (cabforum#328)

* SC50 - Remove the requirements of 4.1.1 (cabforum#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (cabforum#330) (cabforum#338)

* Sunset SHA-1 for OCSP signing (cabforum#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (cabforum#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (cabforum#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (cabforum#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (cabforum#369)

* SC-54: Onion cleanup (cabforum#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses cabforum#240. Things are signed using private, not public keys.

* Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (cabforum#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses cabforum#270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses cabforum#242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses cabforum#241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses cabforum#240. Things are signed using private, not public keys.

* Addresses cabforum#190, cabforum#191. According to cabforum#191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023).

* Update BR.md

Address Comments:
- cabforum#402 (comment) (added "CRL")
- cabforum#414 (comment) (as suggested)

* Align with BRs

Inadvertent numbering change.

* Update BR.md

Add consideration for a phased reduction of short-lived subscriber certificate validity. 

(in response to cabforum#414 (comment))

* Update BR.md

Cleaning-up proposal in advance of discussion.

* Update EVG.md

[clean-up diff, this file was not intentionally modified in the PR]

* Update BR.md

[clean-up]

* Update BR.md

[cleanup]

* Update BR.md

* Update BR.md

* Update BR.md

begin integrating SC-61 language.

* integrate sc61

* Update BR.md

continue tweaking to include sc61

* Update BR.md

improve readability

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

correct spelling error

* Update BR.md

* Update BR.md

typo

* Update BR.md

* Update BR.md

* Update BR.md

* Improve specificity of CRL issuance frequency

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

Typo (thanks, Wendy!)

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

* Update BR.md

* Update BR.md

Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days."

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

"twenty four" -> "twenty-four"

* Update BR.md

* Add provision to handle nonces per RFC8954

* Update BR.md

Improve readability.

* Update BR.md

* Update BR.md

* Update BR.md

CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates.

This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise).

* Address comment from Rob

* Clean up language

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Address formatting nits

* Address table formatting nits.

* Remove redundant language re: nextUpdate

* Clarify use of "unspecified" CRL Reason Code

* Clarify IDP

* (Further) Clarify IDP

* Update BR.md

Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly.

* Update BR.md

Nits.

---------

Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

---------

Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>
barrini added a commit that referenced this pull request Jan 19, 2024
* Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441)

* Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414)

* Profiles WIP

* Clarify AIA based on 2021-06-12 call

AIA allows multiple methods, and multiple instances of each method.
However, client implementations use the ordering to indicate priority,
as per RFC 5280, so clarify the requirements for multiple
AccessDescriptions with the same accessMethod.

* Address basicConstraints for OCSP Responder feedback

Rather than make basicConstraints MUST, make it a MAY, to allow
omission (plus v3) or presence (but empty) to indicate that it is not
a CA certificate.

* Address the "any other value" situations with 7.1.2.4 language

This adopts the language from 7.1.2.4 to the various extensibility
points, by trying to explicitly clarify as appropriate as to what is
permitted.

* Fix the certificatePolicies mismatched highlighted by Corey

* Change SHOULD NOT to NOT RECOMMENDED

While RFC 2119 establishes that these two phrases are semantically
equivalent, it's been suggested that this may resolve some anxiety
around misinterpretations of SHOULD NOT as SHALL NOT, particularly
by auditors.

By changing this to NOT RECOMMENDED, the same guidance is preserved,
but it hopefully makes it more palatable to CAs.

See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830
for related discussion.

* Remove dnsSRV and cleanup otherName handling

This removes the (buggy) description of DNS SRV and leaves it overall
as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements.
It also fixes up a typo (extension OID -> type-id)

* Formatting fix

* Move the Non-TLS EKU requirement into the Non-TLS profile

Originally it was part of the common fields, when there were multiple
variations of non-TLS CAs. However, as there is only a single
reference to this section, fold it in to the non-TLS profile.

This hopefully makes it clearer about the EKU requirements for
non-TLS CAs (being what defines something as non-TLS), and reduces
some confusion around non-TLS and TLS common sections.

* Redo Certificate Policies for Non-TLS CAs

The existing language was buggy, in that a link target was updated, but
not the section heading. However, it was further buggy due to the
interactions between Affiliated and Non-Affiliated CAs.

This overhauls it in line with the November and F2F discussions; unlike
many of the other extensions in this section (which are dictated by RFC
5280 as being mandatory for certain situations), certificatePolicies is
not, so this is demoted to a MAY.

However, the language from RFC 5280 does set out some guidance - such
as not recommending that a policyQualifier be present - and so that
requirement is preserved, under the argument that a non-TLS CA should
still align with RFC 5280 if issued under a BR CA.

This does *remove* an existing BR requirement, namely those inherited
from Section 7.1.6.3, but since that seemed to align with the intent
of the SCWG, this should be a positive change.

* Naming Cleanup

This moves the metadata prohibition and domain name prohibition from
applying to all certificates to only applying to Subscriber certificates
(and in particular, to IV/OV/EV).

This also corrects the organizationalUnit name to reflect SC47v2.

* Formatting & Section Heading fixes

This fixes a few unnumbered sections (around validity periods)
and adjusts the formatting for several tables to better accomodate
the text.

* Fix a bug in non-TLS technically constrained CAs

For non-TLS CAs, don't allow them to assert the BR's CP OIDs,
as the certificates will not be BR compliant.

* Redo Certificate Policies

This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:

Relaxations:

- Reserved Policy OID is * no longer* required to be first, but is
  RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
  policies is removed. This was introduced for Cross-Certified
  Sub-CAs, but resulted in some ambiguity about what happens when a
  Technically Constrained (non-TLS or nameConstraints) Sub-CA is
  operated by a non-Affiliated entity. The requirements around
  Affiliation are now folded into a common section, rather than being
  two sections.
- Although not permitted by the current BRs, the cPSuri is now
  explicitly allowed for all certificate policies (_including_ for
  anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
  OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
  for OCSP Responders.

Clarifications:
- A note is added to the OCSP Responder section explaining that
  because CPs limit the validity and purposes of a certificate, it
  becomes possible to create an "invalid" responder that clients will
  reject (and thus also reject responses), and that this is part of
  the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
  leaf certificates had a slightly different wording: whether a given
  CP needed to be documented by the CA (e.g. could be any policy,
  including a reserved CP or anyPolicy) or needed to be _defined_ and
  documented by the CA (i.e. must be from the CA's own OID arc). This
  harmonizes the language for TLS ("defined by"), while still leaving a
  fairly large carveout for non-TLS ("documented").

* Minor fixes and cleanups (#399)

* Add order and encoding requirement for DC attribute

* Remove overly specific Cross-cert requirement; fix serialNumber encoding

* Clarify NC exclusion

* Remove "Domain Name or IP Address" validation requirement for now

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Integrate newer ballots (#406)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023).

* Update BR.md

Address Comments:
- #402 (comment) (added "CRL")
- #414 (comment) (as suggested)

* Align with BRs

Inadvertent numbering change.

* Update BR.md

Add consideration for a phased reduction of short-lived subscriber certificate validity. 

(in response to #414 (comment))

* Update BR.md

Cleaning-up proposal in advance of discussion.

* Update EVG.md

[clean-up diff, this file was not intentionally modified in the PR]

* Update BR.md

[clean-up]

* Update BR.md

[cleanup]

* Update BR.md

* Update BR.md

* Update BR.md

begin integrating SC-61 language.

* integrate sc61

* Update BR.md

continue tweaking to include sc61

* Update BR.md

improve readability

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

correct spelling error

* Update BR.md

* Update BR.md

typo

* Update BR.md

* Update BR.md

* Update BR.md

* Improve specificity of CRL issuance frequency

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

Typo (thanks, Wendy!)

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

* Update BR.md

* Update BR.md

Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days."

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

"twenty four" -> "twenty-four"

* Update BR.md

* Add provision to handle nonces per RFC8954

* Update BR.md

Improve readability.

* Update BR.md

* Update BR.md

* Update BR.md

CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates.

This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise).

* Address comment from Rob

* Clean up language

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Address formatting nits

* Address table formatting nits.

* Remove redundant language re: nextUpdate

* Clarify use of "unspecified" CRL Reason Code

* Clarify IDP

* (Further) Clarify IDP

* Update BR.md

Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly.

* Update BR.md

Nits.

---------

Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

---------

Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Fall 2023 clean up (#460)

* Issue#169

Issue #169 
- updated 3.2.2.5.6 and 3.2.2.5.7
- added RFC 8738 in References

* Issue #174

Issue #174 
- Updated title in section 3.2.2.4.10
- Updated section 3.2.2.4.18

* Issue #337

Issue #337 
- Updated title of the document to include TLS Server
And also:
- updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name

* Issue #423

Issue #423 
Updated section 1.6.3
- removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada
- removing version of the NetSec and changing the link to redirect to the NetSec documents

* Issue #430

Issue #430 

Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse"

* Issue #444

Issue #444 

Added empty section 7.1.5

* Issue #450

Issue #450 
Updated including link to the 6.2.7 section

* Issue #453

Issue #453 

Updated section as indicated

* PR #415

PR #415 
Updated title

* Update BR.md

Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order

* Update BR.md

Updated version and changelog

* Issue #461

Issue #461 
Used 2 option for the update

* Update docs/BR.md

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Add line breaks in 7.1.2.11.2

According to #462

* Revert the change of the NSSR version

Put back the version 1.7 in the NetSec

* Update BR.md

---------

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

---------

Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>
barrini added a commit that referenced this pull request Mar 15, 2024
* Add files via upload

* EVG.md

* Update EVG.md

* Create EVG original

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Delete EVG original

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG.md

* Update EVG to match section 6 of the RFC 3647.md

Updated section 1.1 from scope to overview
Added section 3.2.1 for the possesion of the private key
Changed totally/created new section 3.2.2 to cover all section 11
Moved section 8.1 to section 8 and renamed the others to meet RFC3647
Added the self-audits (8.1.1) under section 8.1
Left/created section 8.7 for pre/readiness audits which do not exist under RFC 3647

* Update EVG updating links.md

2 links were updated regarding section 8

* Update EVG.md

Another link updated from 3.2.14.1 to 3.2.2.14.1

* Update branch for BRs pointing to new sections of EVGs (#476)

* Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automatio… (#441)

* Proposal: Make OCSP Optional, Require CRLs, and Incentivize Automation / Short-Lived Certificates (#414)

* Profiles WIP

* Clarify AIA based on 2021-06-12 call

AIA allows multiple methods, and multiple instances of each method.
However, client implementations use the ordering to indicate priority,
as per RFC 5280, so clarify the requirements for multiple
AccessDescriptions with the same accessMethod.

* Address basicConstraints for OCSP Responder feedback

Rather than make basicConstraints MUST, make it a MAY, to allow
omission (plus v3) or presence (but empty) to indicate that it is not
a CA certificate.

* Address the "any other value" situations with 7.1.2.4 language

This adopts the language from 7.1.2.4 to the various extensibility
points, by trying to explicitly clarify as appropriate as to what is
permitted.

* Fix the certificatePolicies mismatched highlighted by Corey

* Change SHOULD NOT to NOT RECOMMENDED

While RFC 2119 establishes that these two phrases are semantically
equivalent, it's been suggested that this may resolve some anxiety
around misinterpretations of SHOULD NOT as SHALL NOT, particularly
by auditors.

By changing this to NOT RECOMMENDED, the same guidance is preserved,
but it hopefully makes it more palatable to CAs.

See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830
for related discussion.

* Remove dnsSRV and cleanup otherName handling

This removes the (buggy) description of DNS SRV and leaves it overall
as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements.
It also fixes up a typo (extension OID -> type-id)

* Formatting fix

* Move the Non-TLS EKU requirement into the Non-TLS profile

Originally it was part of the common fields, when there were multiple
variations of non-TLS CAs. However, as there is only a single
reference to this section, fold it in to the non-TLS profile.

This hopefully makes it clearer about the EKU requirements for
non-TLS CAs (being what defines something as non-TLS), and reduces
some confusion around non-TLS and TLS common sections.

* Redo Certificate Policies for Non-TLS CAs

The existing language was buggy, in that a link target was updated, but
not the section heading. However, it was further buggy due to the
interactions between Affiliated and Non-Affiliated CAs.

This overhauls it in line with the November and F2F discussions; unlike
many of the other extensions in this section (which are dictated by RFC
5280 as being mandatory for certain situations), certificatePolicies is
not, so this is demoted to a MAY.

However, the language from RFC 5280 does set out some guidance - such
as not recommending that a policyQualifier be present - and so that
requirement is preserved, under the argument that a non-TLS CA should
still align with RFC 5280 if issued under a BR CA.

This does *remove* an existing BR requirement, namely those inherited
from Section 7.1.6.3, but since that seemed to align with the intent
of the SCWG, this should be a positive change.

* Naming Cleanup

This moves the metadata prohibition and domain name prohibition from
applying to all certificates to only applying to Subscriber certificates
(and in particular, to IV/OV/EV).

This also corrects the organizationalUnit name to reflect SC47v2.

* Formatting & Section Heading fixes

This fixes a few unnumbered sections (around validity periods)
and adjusts the formatting for several tables to better accomodate
the text.

* Fix a bug in non-TLS technically constrained CAs

For non-TLS CAs, don't allow them to assert the BR's CP OIDs,
as the certificates will not be BR compliant.

* Redo Certificate Policies

This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:

Relaxations:

- Reserved Policy OID is * no longer* required to be first, but is
  RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
  policies is removed. This was introduced for Cross-Certified
  Sub-CAs, but resulted in some ambiguity about what happens when a
  Technically Constrained (non-TLS or nameConstraints) Sub-CA is
  operated by a non-Affiliated entity. The requirements around
  Affiliation are now folded into a common section, rather than being
  two sections.
- Although not permitted by the current BRs, the cPSuri is now
  explicitly allowed for all certificate policies (_including_ for
  anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
  OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
  for OCSP Responders.

Clarifications:
- A note is added to the OCSP Responder section explaining that
  because CPs limit the validity and purposes of a certificate, it
  becomes possible to create an "invalid" responder that clients will
  reject (and thus also reject responses), and that this is part of
  the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
  leaf certificates had a slightly different wording: whether a given
  CP needed to be documented by the CA (e.g. could be any policy,
  including a reserved CP or anyPolicy) or needed to be _defined_ and
  documented by the CA (i.e. must be from the CA's own OID arc). This
  harmonizes the language for TLS ("defined by"), while still leaving a
  fairly large carveout for non-TLS ("documented").

* Minor fixes and cleanups (#399)

* Add order and encoding requirement for DC attribute

* Remove overly specific Cross-cert requirement; fix serialNumber encoding

* Clarify NC exclusion

* Remove "Domain Name or IP Address" validation requirement for now

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Integrate newer ballots (#406)

* Update README (#294)

Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Adjust the workflow file to build the actions (#296)

This addresses a few requests that recently came up from the certificate
profiles work:

- Remove the explicit retention period (of 21 days) to allow the GitHub
  default of 90 days.
- Change the generated ZIP file from being "BR.md-hash" to being
  "BR-hash".
- Allow manually invoking the workflow (via workflow_dispatch), in the
  event folks want to re-run for a particular branch (e.g. profiles)
- Attempt to resolve the "non-deterministic redline" noted by Jos. When
  a given commit is on cabforum/servercert, it may be both a commit (to
  a branch) and part of a pull request (to main). We want the pull
  request redline to be against main, while the commit redline to be
  against the previous commit. Because both jobs run, and both upload
  the same file name, this results in a non-deterministic clobbering,
  where the commit-redline may clobber the pr-redline. This changes
  the generated zip file to be "file-hash-event_type", so that it
  will generate redlines for both PRs and commits and attach both.

* SC47 Sunset subject:organizationalUnitName (#282) (#290)

* SC47 Sunset subject:organizationalUnitName (#282)

* Deprecation of subject:organizationalUnitName

* Update language to avoid confusion on the effective date

This version updates SC47 to state "issued on or after September 1, 2022" and makes the EV Guidelines reference the BRs as suggested by Ryan Sleevi from Google.

Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* SC47 datefix (#298)

* Update dates table

* Update EVG.md

Add SC47 reference to relevant dates table

* Fixup section number in prior commit

Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>

* SC48 - Domain Name and IP Address Encoding (#285) (#302)

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* SC48 - Domain Name and IP Address Encoding (#285)

* First pass

* Add more RFC references, some wordsmithing

* Another few fixes

* Switch to use "LDH Labels"

* Propose concrete effective date

* Clarification about root zone trailing dot

* Replace "label" with "Domain Label" throughout (#1)

Replace "label" with "Domain Label" and "domain name" with "Domain Name" throughout

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>

* Fix double negative

* Fix redundant "if the"

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos <castillar@melete.org>

* Wrap xn-- to prevent ligaturization

* Update dates and version numbers

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC50 - Remove the requirements of 4.1.1 (#328)

* SC50 - Remove the requirements of 4.1.1 (#323)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Remove 4.1.1; persist compromised keys in 6.1.1.3

Remove section 4.1.1 from the BRs
Explicitly require persistent access to compromised keys

* Rebase based on upstream/main

* Move System requirement to 6.1.1.3

* Add 4.1.1 as blank

* Remove capitalization from 6.1.1.3 where terms are not defined

* Re-add 'No stipulation.' to 4.1.1

* Remove change to 6.1.1.3

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update version and date table

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC53: Sunset SHA-1 for OCSP signing (#330) (#338)

* Sunset SHA-1 for OCSP signing (#330)

* Sunset SHA-1 OCSP signing

* Clarify necessity of both items

* Standardize date format, fix year in effective date table

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version, table, and date

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Bump actions/checkout from 2 to 3 (#342)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Ballot SC51: Reduce and Clarify Log and Records Archival Retention Requirements (#347)

* Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements  (#336)

* Bump cairosvg from 1.0.20 to 2.5.1

Bumps [cairosvg](https://github.com/Kozea/CairoSVG) from 1.0.20 to 2.5.1.
- [Release notes](https://github.com/Kozea/CairoSVG/releases)
- [Changelog](https://github.com/Kozea/CairoSVG/blob/master/NEWS.rst)
- [Commits](Kozea/CairoSVG@1.0.20...2.5.1)

Signed-off-by: dependabot[bot] <support@github.com>

* Bump kramdown from 2.3.0 to 2.3.1

Bumps [kramdown](https://github.com/gettalong/kramdown) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/gettalong/kramdown/releases)
- [Changelog](https://github.com/gettalong/kramdown/blob/master/doc/news.page)
- [Commits](https://github.com/gettalong/kramdown/commits)

Signed-off-by: dependabot[bot] <support@github.com>

* Restructure  parts of 5.4.x and 5.5.x

* Use 'events' consistently in 5.4.1

* Forgot to remove "revocation" as condition for start of retention period of Subscriber Certificates.

* Introduce possessive in 5.4.1 and 5.5.1 to better deliniate responsiblities of CAs using DTPs

* Remove WIP title;

* re-order list in 5.5.2; add 'or' clause to validation documentation archival list entry.

* Incorporate feedback from Aaron and Dimitris in Servercert-wg Discussion Period

Based on the feedback from Aaron here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003115.html) and here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003125.html), update 5.5.1 and 5.5.2.
Based on the feedback from Dimitris here (https://lists.cabforum.org/pipermail/servercert-wg/2022-January/003110.html), update 5.4.3 and 5.5.2.

* Update link formatting in 5.4.1

The "Section" links throughout include the word "Section" in the link, except for in 5.4.1; this fixes that inconsistency.

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>

* Update effective date and version number

* Update ballot table in document

* Fix date string

Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Ballot SC54: Onion Cleanup (#369)

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* SC-54: Onion cleanup (#348)

The voting on ballot SC54 has completed, and the ballot has passed.

Voting Results
Certificate Issuers
votes total, with no abstentions:
18 Yes votes: Amazon, Buypass, DigiCert, eMudhra, Entrust, GDCA, GlobalSign, GoDaddy, HARICA, Izenpe, JPRS, NAVER, OISTE, Sectigo, SwissSign, TrustCor, SecureTrust, Visa
0 No Votes
0 Abstentions
Certificate Consumers
6 votes total, with no abstentions:
6 Yes votes: 360, Apple, Cisco, Google, Microsoft, Mozilla
0 No votes
0 Abstentions

Bylaw Requirements
1.     Bylaw 2.3(f) requires:
·      A "yes" vote by two-thirds of Certificate Issuer votes and by 50%-plus-one of Certificate Consumer votes. Votes to abstain are not counted for this purpose.
This requirement was MET for Certificate Issuers and MET for Certificate Consumers.
·      At least one Certificate Issuer and one Certificate Consumer Member must vote in favor of a ballot for the ballot to be adopted.
This requirement was MET.
2.    Bylaw 2.3(g) requires that a ballot result only be considered valid when “more than half of the number of currently active Members has participated”. Votes to abstain are counted in determining quorum. Half of the currently active members at the start of voting was 14, so the quorum was 15 for this ballot.
This requirement was MET.

This ballot now enters the IP Rights Review Period to permit members to review the ballot for relevant IP rights issues.

——

* Addresses #270 allowing method 3.2.2.4.20 for `.onion` domains.

* Addresses #242 creating an exception for `.onion` domains, using existing language from the opening section of 3.2.2.4.

* Addresses #241 removing the currently deprecated Domain validation method 3.2.2.4.6.

* Addresses #240. Things are signed using private, not public keys.

* Addresses #190, #191. According to #191 (comment),  effectively 2021-10-15 is when v2 stops working everywhere. We could proceed without an effective date, remove most of Appendix F in the EV Guidelines and point to Appendix B of the Baseline Requirements directly. No strong feelings either way.

* This is a mitigation against a malicious CA but the Applicant ultimately creates the Nonce.
We agreed with Corey and Wayne to propose the removal of the  requirement for the CA to *confirm* entropy.

* Update language to deprecate legacy Appendix F validation method with "immediate" effect, after the ballot clears IPR (30 days after voting).

* remove double space

* Remove EVG Appendix F, introduce Onion Domain Name term

* A few more minor tweaks

* Fix numbering

* Update for easier read.

* Revert "Update for easier read."

This reverts commit 1bac785.

Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>

* Update version numbers and dates

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>

* Integrate SC-48 CN requirements

Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

Create dedicated branch and sync with "profiles" branch (as of Jan 17, 2023).

* Update BR.md

Address Comments:
- #402 (comment) (added "CRL")
- #414 (comment) (as suggested)

* Align with BRs

Inadvertent numbering change.

* Update BR.md

Add consideration for a phased reduction of short-lived subscriber certificate validity. 

(in response to #414 (comment))

* Update BR.md

Cleaning-up proposal in advance of discussion.

* Update EVG.md

[clean-up diff, this file was not intentionally modified in the PR]

* Update BR.md

[clean-up]

* Update BR.md

[cleanup]

* Update BR.md

* Update BR.md

* Update BR.md

begin integrating SC-61 language.

* integrate sc61

* Update BR.md

continue tweaking to include sc61

* Update BR.md

improve readability

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

correct spelling error

* Update BR.md

* Update BR.md

typo

* Update BR.md

* Update BR.md

* Update BR.md

* Improve specificity of CRL issuance frequency

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

Typo (thanks, Wendy!)

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update docs/BR.md

Editorial

Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

* Update BR.md

* Update BR.md

Address comment from Aaron: "I'm not in favor of allowing CRLs to remain non-updated for 7 days because that is a regression from current OCSP behavior. Section 4.9.10.(4) makes it so that updated revocation information is always available "no later than four days after the thisUpdate". Therefore, a CA operating in a CRLs-only mode should be required to update their CRLs at least once every 4 days."

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update docs/BR.md

Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>

* Update BR.md

"twenty four" -> "twenty-four"

* Update BR.md

* Add provision to handle nonces per RFC8954

* Update BR.md

Improve readability.

* Update BR.md

* Update BR.md

* Update BR.md

CAs issuing CA certificates should publish a new CRL if _any_ certificate is revoked, not just CA certificates.

This change is intended to force CRL publication in the event that a delegated OCSP responder's certificate was revoked (for example, due to key compromise).

* Address comment from Rob

* Clean up language

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Update BR.md

* Address formatting nits

* Address table formatting nits.

* Remove redundant language re: nextUpdate

* Clarify use of "unspecified" CRL Reason Code

* Clarify IDP

* (Further) Clarify IDP

* Update BR.md

Make sure that where the word "Certificate" was introduced in this proposal, it is capitalized correctly.

* Update BR.md

Nits.

---------

Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BR.md

---------

Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Fall 2023 clean up (#460)

* Issue#169

Issue #169 
- updated 3.2.2.5.6 and 3.2.2.5.7
- added RFC 8738 in References

* Issue #174

Issue #174 
- Updated title in section 3.2.2.4.10
- Updated section 3.2.2.4.18

* Issue #337

Issue #337 
- Updated title of the document to include TLS Server
And also:
- updated section 1.1, 1.2, 1.5 and 2.2 to be consistent with the new document name

* Issue #423

Issue #423 
Updated section 1.6.3
- removing version of the Webtrust and changing the link to redirect to all the documents published by CPA Canada
- removing version of the NetSec and changing the link to redirect to the NetSec documents

* Issue #430

Issue #430 

Updated with the text suggested by Aaron as it´s the smallest change and clarifies the ambiguity of "reuse"

* Issue #444

Issue #444 

Added empty section 7.1.5

* Issue #450

Issue #450 
Updated including link to the 6.2.7 section

* Issue #453

Issue #453 

Updated section as indicated

* PR #415

PR #415 
Updated title

* Update BR.md

Change order of "pending prohibition" and "P-label" in section 1.6.3 definitions to follow alpahabetical order

* Update BR.md

Updated version and changelog

* Issue #461

Issue #461 
Used 2 option for the update

* Update docs/BR.md

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Add line breaks in 7.1.2.11.2

According to #462

* Revert the change of the NSSR version

Put back the version 1.7 in the NetSec

* Update BR.md

---------

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

---------

Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>

* Update BRs with the new EVGs section numbers.md

Changed sections 3.2.2.4.7 and 7.1.2.7.5, updating the following:
Section 3.2.2.4.7
EVG 11.14.3 to new 3.2.2.14.3

Section 7.1.2.7.5
EVG 9.2 to new 7.1.4.2

* Update EVG.md

Updated section 7.1.2.2 to fix the link to section 7.1.4.2.8

---------

Co-authored-by: Martijn Katerbarg <martijn.katerbarg@sectigo.com>
Co-authored-by: Ryan Dickson <ryan.dickson@gmail.com>
Co-authored-by: Ryan Sleevi <rsleevi@chromium.org>
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
Co-authored-by: Corey Bonnell <corey.bonnell@digicert.com>
Co-authored-by: Jos <castillar@melete.org>
Co-authored-by: Jos Purvis <jopurvis@cisco.com>
Co-authored-by: Ryan Sleevi <sleevi@google.com>
Co-authored-by: Paul van Brouwershaven <vanbroup@users.noreply.github.com>
Co-authored-by: Ryan Sleevi <ryan.sleevi@gmail.com>
Co-authored-by: Wayne Thayer <wthayer@gmail.com>
Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Clint Wilson <clintw@apple.com>
Co-authored-by: Dimitris Zacharopoulos <dzacharo@users.noreply.github.com>
Co-authored-by: Aaron Gable <aaron@aarongable.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants