Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Ryan Sleevi via Public
I appreciate your attention to the Bylaws, but I would suggest Jurgen's response is a clear example where "compliance with root programs' expectations" != "service offerings" Of course, if the answer is "We'll be offering other services" rather than "We'll be complying with various other

Re: [cabfpub] Volunteers needed to serve on a Patent Advisory Group (PAG) for Ballot 182

2017-01-13 Thread Doug Beattie via Public
Hi Peter, I think we referenced the right section, 3.2.2.4.9 Test Certificate, in the exclusion notice. From: Peter Bowen [mailto:p...@amzn.com] Sent: Friday, January 13, 2017 2:52 PM To: CA/Browser Forum Public Discussion List ; Doug Beattie

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Dean Coclin via Public
Just a friendly reminder that our bylaws specifically prohibit certain discussions: all participants agree not to discuss or exchange information related to: (a) Pricing policies, pricing formulas, prices or other terms of sale; (b) Costs, cost structures, profit margins, *(c) Pending or

Re: [cabfpub] Volunteers needed to serve on a Patent Advisory Group (PAG) for Ballot 182

2017-01-13 Thread Peter Bowen via Public
Doug, I think it would be great to have someone from GlobalSign on the PAG, as I was rather confused when I saw the GlobalSign exclusion notice posted. The IPR policy specifically does not a member to file exclusions on items contributed by the member. As I’m sure you remember, Section

Re: [cabfpub] Volunteers needed to serve on a Patent Advisory Group (PAG) for Ballot 182

2017-01-13 Thread Jeremy Rowley via Public
I'll volunteer From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Doug Beattie via Public Sent: Thursday, January 12, 2017 5:37 AM To: Kirk Hall Cc: Doug Beattie ; CA/brow...@p3plcabfweb01.prod.phx3.secureserver.net;

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Jeremy Rowley via Public
No - DigiCert didn’t request an extension and endorsed the ballot with the six month language. However, I haven’t checked with all of the cross-signed entities to see what their compliance plans are. I’m betting 12 months is more realistic for them, but I have insufficient data to support

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Jeremy Rowley via Public
And it seems like Entrust gave precise data. They’d like a year to implement. I don’t see how this isn’t specific. From: Ryan Sleevi [mailto:sle...@google.com] Sent: Thursday, January 12, 2017 3:50 PM To: Jeremy Rowley Cc: CA/Browser Forum Public Discussion List

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Ryan Sleevi via Public
On Fri, Jan 13, 2017 at 7:23 AM, Gervase Markham via Public < public@cabforum.org> wrote: > On 13/01/17 14:55, Doug Beattie wrote: > > I'd suggest we include exactly what is required in the ballot and if > > the RFC changes then we have a new ballot to specify the changes and > > effective dates.

Re: [cabfpub] Further unencumbered domain validation methods?

2017-01-13 Thread Geoff Keating via Public
> On Jan 13, 2017, at 9:51 AM, Gervase Markham via Public > wrote: > > I've been reviewing the IPR Exclusion Notices filed on ballot 182: > https://cabforum.org/ipr-exclusion-notices/ > … > This suggests that methods 1

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Ryan Sleevi via Public
Reposting on Jurgen's behalf, because this does add useful information to the discussion of timing and what CAs other priorities are, which helps make sure browsers (like us) are cognizant of the impact :) On Fri, Jan 13, 2017 at 12:46 AM, Jürgen Brauckmann wrote: > Am

Re: [cabfpub] Mozilla SHA-1 further restrictions (v4)

2017-01-13 Thread Richard Barnes via Public
[unicast] Just tuning in here, may be missing context, but this seems like something that should be on m.d.s.p? On Jan 12, 2017 12:52 PM, "Gervase Markham via Public" wrote: > Here's v4. I've decided to leave the email situation unchanged for now, > in the name of getting

[cabfpub] Further unencumbered domain validation methods?

2017-01-13 Thread Gervase Markham via Public
I've been reviewing the IPR Exclusion Notices filed on ballot 182: https://cabforum.org/ipr-exclusion-notices/ It seems that people have made claims which purport to cover the following methods in section 3.2.2.4: 2, 3, 4: Symantec: 7: GoDaddy 9: GlobalSign However, ballot 182 contained the

Re: [cabfpub] Further unencumbered domain validation methods?

2017-01-13 Thread Kirk Hall via Public
I would support this. Can we wait to start a new Ballot adding back Methods 1 and 8 to BR 3.2.2.4 until we have adopted clarifying changes to our Bylaws (Ballot 183) that will apply to new ballots amending Final Guidelines (here, amending the BRs)? -Original Message- From: Public

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Steve Medin via Public
Pending questions handled by an explanatory new angle. Since EV Certificate Approvers and their non-EV counterparts are implemented in Enterprise RA accounts as 2FA-credentialed issuance portal administrators with access to a pre-vetted collection of domains, would you think that if we discover

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Doug Beattie via Public
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > > On 13/01/17 13:13, Doug Beattie wrote: > > As it stands, this means that CAs must support Issuer Critical, issue > > and issuewild today and then to support other Property Tags as they > > are added (without an

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Gervase Markham via Public
Hi Bruce, On 12/01/17 18:28, Bruce Morton wrote: > There needs to be some consideration for existing agreements with > Subscribers. Is this the issue you raised in previous discussions, or a different issue? It seems the same, but I want to make sure. If it is the same, as noted in the comments

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Gervase Markham via Public
On 13/01/17 13:13, Doug Beattie wrote: > As it stands, this means that CAs must support Issuer Critical, issue > and issuewild today and then to support other Property Tags as they are > added (without an indication of when the need to be supported). The > spec also says that you must check the

Re: [cabfpub] Updated draft of Ballot 183 (ballot process)

2017-01-13 Thread Gervase Markham via Public
Hi Virginia, This is looking really good - again, thank you for your continued hard work. I only have a few minor comments. On 13/01/17 00:09, Virginia Fournier via Public wrote: > Based on comments received from Kirk, Gerv and Ryan, here is an updated > draft of Ballot 183. Please let me know

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Gervase Markham via Public
On 12/01/17 18:47, Steve Medin via Public wrote: > The proposed amendment does not invalidate and is in conflict with: > > BR 4.1.2. Enrollment Process and Responsibilities, specifically: > > One certificate request MAY suffice for multiple Certificates to be > issued to the same Applicant,

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Doug Beattie via Public
Gerv, Do we need to add any clarification to this statement: …CA must check for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued, according to the procedure in RFC 6844. As it stands, this means that CAs must support Issuer Critical, issue and

Re: [cabfpub] Mozilla SHA-1 further restrictions (v4)

2017-01-13 Thread Gervase Markham via Public
On 12/01/17 19:34, Tim Shirley wrote: > Besides EKU, I presume this should also list adding the pathlen:0 > constraint if it was previously absent. Yes. > It would probably be good to > include serial number as well, so no one could interpret this as a > requirement to duplicate a serial

Re: [cabfpub] Draft CAA motion (3)

2017-01-13 Thread Gervase Markham via Public
On 13/01/17 14:55, Doug Beattie wrote: > I'd suggest we include exactly what is required in the ballot and if > the RFC changes then we have a new ballot to specify the changes and > effective dates. Well, it's not the RFC that would change - if it was, that would be simpler :-) It's the

Re: [cabfpub] Mozilla SHA-1 further restrictions (v4)

2017-01-13 Thread Doug Beattie via Public
> On 12/01/17 19:06, Doug Beattie wrote: > > Is there a provision for signing SHA-1 OCSP signing certificates? > > Perhaps this is covered in #1, but specifically allowing SHA-1 OCSP > > Signing certificates (under SHA-1 CAs which have active SHA-1 TLS > > certificates) would be a good idea for