Cleanup 2025 #628
Cleanup 2025 #628
Conversation
…to S/MIME language
|
Based on discussion in the Validation Subcommittee today (Dec 11, 2025), #642 (#642) could be included in this cleanup. While there was consensus that this change is not necessary to enable the use of RDAP for the purposes of Section 3.2.2.14.1 in the EVGs (due to inherited definition of "WHOIS" from the TBRs), it was agreed that adding clarity would help avoid potential confusion in the future. |
Fixed with 6bfbe3a |
…e references section should also be updated.
| | 2024-03-15 | [4.9.7](#497-crl-issuance-frequency) | CAs MUST generate and publish CRLs. | | ||
| | 2024-09-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-01-15 | [4.9.9](#499-on-line-revocationstatus-checking-availability) | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | | ||
| | 2025-01-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on HTTPS websites to identify Domain Contact information. CAs MUST rely on IANA resources for identifying Domain Contact information. | | ||
| | 2025-03-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-03-15 | [8.7](#87-self-audits) | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | | ||
| | 2025-03-15 | [3.2.2.9](#3229-multi-perspective-issuance-corroboration) | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | | ||
| | 2025-07-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on Methods 3.2.2.4.2 and 3.2.2.4.15 to issue Subscriber Certificates. | | ||
| | 2025-12-01 | [5.7.1.2](#5712-mass-revocation-plans) | CAs SHALL assert in section 5.7.1 of their CPS or combined CP/CPS their mass revocation plan, testing, and continuous improvements. | |
There was a problem hiding this comment.
If we're cleaning up old effective dates, why aren't we cleaning up these ones? What's special about the beginning of 2024 that we're keeping dates after then?
Especially the second item (SHOULD implement Linting) whose corresponding sentence has already been deleted from the body of section 4.3.1.2.
| - if using the Registry Data Access Protocol ([RFC 7482](https://datatracker.ietf.org/doc/html/rfc7482)), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. | ||
| - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. | ||
|
|
||
| Effective 2025-07-15: |
There was a problem hiding this comment.
Why are we preserving the text of this method at all? It cannot be used, and its validation data cannot be reused, so it is now fully irrelevant. This ballot should replace this whole section with
This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates.
and the corresponding Relevant Dates can be removed from the table in Section 1.2.2.
There was a problem hiding this comment.
The convention has been to retain the method until all certs issued using the method have expired.
| @@ -881,16 +843,17 @@ Confirming the Applicant's control over the FQDN by validating the Applicant is | |||
|
|
|||
| **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. | |||
|
|
|||
| Effective January 15, 2025: | |||
| Effective 2025-01-15: | |||
There was a problem hiding this comment.
Why are we preserving this effective date? This line should be removed, and the bullet points below it should be promoted to standalone paragraphs.
| - if using the Registry Data Access Protocol ([RFC 7482](https://datatracker.ietf.org/doc/html/rfc7482)), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. | ||
| - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. | ||
|
|
||
| Effective 2025-07-15: |
There was a problem hiding this comment.
Why are we preserving the text of this method at all? It cannot be used, and its validation data cannot be reused, so it is now fully irrelevant. This ballot should replace this whole section with
This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates.
and the corresponding Relevant Dates can be removed from the table in Section 1.2.2.
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2). | ||
|
|
||
| Effective 2025-03-15, the CA SHALL implement such a Linting process. |
There was a problem hiding this comment.
Why did we delete one of these effective dates but not the other? It's time to just integrate the requirement into the paragraph.
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2). | |
| Effective 2025-03-15, the CA SHALL implement such a Linting process. | |
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, the CA MUST implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2).``` |
| @@ -1518,7 +1493,7 @@ No stipulation. | |||
| No stipulation. | |||
|
|
|||
| ### 4.8.7 Notification of certificate issuance by the CA to other entities | |||
|
|
|||
| 2 | |||
There was a problem hiding this comment.
Typo
| 2 |
|
|
||
| OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. The CA MAY process the Nonce extension (`1.3.6.1.5.5.7.48.1.2`) in accordance with RFC 8954. | ||
| OCSP responders operated by the CA SHALL support the HTTP GET method, as described in [RFC 6960](https://datatracker.ietf.org/doc/html/rfc6960) and/or [RFC 5019](https://datatracker.ietf.org/doc/html/rfc5019). The CA MAY process the Nonce extension (1.3.6.1.5.5.7.48.1.2) in accordance with [RFC 8954](https://datatracker.ietf.org/doc/html/rfc8954). | ||
|
|
||
| For the status of a Subscriber Certificate or its corresponding Precertificate: | ||
|
|
||
| - Effective 2025-01-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. |
There was a problem hiding this comment.
| - Effective 2025-01-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. | |
| - An authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. |
| @@ -1955,21 +1939,21 @@ The business continuity plan MUST include: | |||
|
|
|||
| #### 5.7.1.2 Mass Revocation Plans | |||
|
|
|||
| CA organizations MUST have a mass revocation plan, and as of December 1, 2025, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |||
| CA organizations MUST have a mass revocation plan, and as of 2025-12-01, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |||
There was a problem hiding this comment.
| CA organizations MUST have a mass revocation plan, and as of 2025-12-01, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |
| CA organizations MUST have a mass revocation plan, and they MUST assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. |
| 1. In the case of Debian weak keys vulnerability (https://wiki.debian.org/SSLkeys), the CA SHALL reject all keys found at https://github.com/cabforum/Debian-weak-keys/ for each key type (e.g. RSA, ECDSA) and size listed in the repository. For all other keys meeting the requirements of [Section 6.1.5](#615-key-sizes), with the exception of RSA key sizes greater than 8192 bits, the CA SHALL reject Debian weak keys. | ||
| 2. In the case of ROCA vulnerability, the CA SHALL reject keys identified by the tools available at https://github.com/crocs-muni/roca or equivalent. | ||
| 3. In the case of Close Primes vulnerability (https://fermatattack.secvuln.info/), the CA SHALL reject weak keys which can be factored within 100 rounds using Fermat’s factorization method. | ||
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after 2024-11-15, at least the following precautions SHALL be implemented: |
There was a problem hiding this comment.
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after 2024-11-15, at least the following precautions SHALL be implemented: | |
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. At least the following precautions SHALL be implemented: |
|
|
||
| Effective July 15, 2025: | ||
| - The CA MUST NOT rely on this method. | ||
| - Prior validations using this method and validation data gathered according to this method MUST NOT be used to issue Subscriber Certificates. | ||
|
|
||
| ##### 3.2.2.4.3 Phone Contact with Domain Contact | ||
|
|
||
| This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates. |
There was a problem hiding this comment.
"certificates" -> "Certificates"
This capitalization varies even from the para before.
There is inconsistency in capitalization of Defined Terms throughout the text.
There was a problem hiding this comment.
@srdavidson the phrase "Subscriber Certificate*" appears 64 times with a capital "C" and only once with a lowercase "c"- in section 7.1.2.7.11.
The word "Certificate*" with a capital "C" appears 882 times in the document, while with a lowercase "c" it appears 209 times.
If we want to set broader rules for capitalization, it would be good to create a separate issue for that and include that in a future cleanup.
|
|
||
| **WHOIS**: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in RFC 3912, the Registry Data Access Protocol defined in RFC 7482, or an HTTPS website. | ||
| **WHOIS**: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in [RFC 3912](https://datatracker.ietf.org/doc/html/rfc3912), the Registry Data Access Protocol defined in [RFC 9082](https://datatracker.ietf.org/doc/html/rfc9082), or an HTTPS website. |
There was a problem hiding this comment.
This should not be in a cleanup as this changes normative requirements from what was in the old RFC to what is in the new RFC without review of the respective requirements and ensuing discussion.
There was a problem hiding this comment.
Good point. Until people have time to read the new RFC, let's use the older RFC.
| @@ -924,20 +887,22 @@ The Random Value SHALL remain valid for use in a confirming response for no more | |||
|
|
|||
| **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. | |||
|
|
|||
| Effective January 15, 2025: | |||
| Effective 2025-01-15: | |||
There was a problem hiding this comment.
See Aaron's comment about continuing to include past effective dates. This should also simply be removed.
No description provided.