SC-72 - Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED #490
Conversation
vanbroup
changed the title
|
@vanbroup: This section (9.7) of the EVGs begins with: Am I right that what you're trying to do here is align the EVG requirements for Subscriber Certificate certificatePolicies extensions with the equivalent BR requirements? If so, then wouldn't it make more sense for this draft ballot to remove the 3rd exception in section 9.7 entirely? |
|
As I recall, this discrepancy was discussed multiple times during the years of work on SC62. This is not (and never has been) an unintentional discrepancy, but rather an intentional difference between the TBRs and the EVGs - representing a consensus view and compromise based on numerous discussions in the CA/B Forum. Broadly in those discussions some CAs (Entrust included, iirc) indicated a strong preference to preserve allowing Given this rather large and sudden reversal of position, it seems like the proposal here may be better represented by disallowing |
|
I agree with @robstradling that the most straightforward way to align the EVGs and BRs is to merely remove the exception in the EVGs. Also, could this ballot be updated to remove the "MUST add a cPSuri policyQualifier to externally operated EV Subordinate CA certificates" requirement in section 9.7 (2)? I think this also has the potential for being missed by readers of the BR and EVG. |
I don't recall that this was brought up as an intentional discrepancy and have not be able to find this in the minutes. The limited search in the mail archives is not very reliable so please point me to the right minutes if you can. As you stated Entrust was strongly in favor to preserve the cPSuri in the policyQualifiers but we found consensus with the agreement that this information will remain in the issuing hierarchy. |
Paul, In the TLS BRs, policyQualifiers are also NOT RECOMMENDED in the TLS CA Certificate Profile. See Section 7.1.2.10.5 |
The EVG already includes all provisions of the TLS BRs, no need to re-specify this here.
Thanks for the correction, it would be great if we had a recording or good minutes of this discussion, maybe we where heading to that direction at some point but eventually decided to keep it NOT RECOMMENDED everywhere. For this ballot we only care about what the requirements currently state so lets focus on that for the text and justification of the ballot. |
|
@robstradling @CBonnell I removed the exceptions as it indeed clearly states "All provisions of the Baseline Requirements concerning Minimum Cryptographic Algorithms, Key Sizes, and Certificate Extensions apply to EV Certificates with the following exceptions". @dzacharo are you ok with this as an endorser of the ballot? |
As we are removing the text from the EVGs, I think it would be better to have a separate ballot to propose changing the inclusion for policyQualifiers from NOT RECOMMENDED to MUST NOT in the BRs. |
vanbroup
changed the title
I agree to align with the current TLS BRs which does not cause any conflicts with other existing standards that might require the existence of the cPSUri. |
This ballot updates the TLS Extended Validation Guidelines (EVGs) by removing the exceptions to
policyQualifiersin section 9.7, to align them with the Baseline Requirements (BRs).As result, this ballot changes
policyQualifiersfromMUSTtoNOT RECOMMENDEDas stated in the TLS Baseline Requirements, resolving a discrepancy introduced by Ballot SC-62v2 between section 7.1.2.7.9 Subscriber Certificate Policies of the BRs and the Additional Technical Requirements for EV Certificates in the EVGs.The following motion has been proposed by Paul van Brouwershaven (Entrust) and endorsed by Dimitris Zacharopoulos (HARICA) and Iñigo Barreira (Sectigo).