Ballot 188 – Clarify use of term “CA” in Baseline Requirements

Ballot overview

• Ballot 188, Clarify use of term CA in Baseline Requirements, is a Server Certificate Working Group ballot.
• The ballot proposes broad terminology updates in the Baseline Requirements, including replacing and redefining terms such as CA, Root CA, Subordinate CA, CA Certificate, Root CA Certificate, and Subordinate CA Operator.
• It also proposes changes to revocation, OCSP, key generation, logging, name constraints, certificate policy identifiers, audit scope, and CA representations and warranties.

Outcome

• The ballot fails.
• The page states that quorum was met, but the approval thresholds were not met for either CAs or browsers.
• Voting results shown on the page:
  • CAs: 3 yes, 6 no, 1 abstain
  • Browsers: 0 yes, 2 no, 0 abstain

Key proposed requirements

• The motion would redefine the scope of the Baseline Requirements so they apply to all CAs that can issue a certificate in a chain from a publicly trusted root certificate.
• It would add or revise definitions for CA Certificate, Certification Authority, Root CA Operator, Root CA Certificate, Subordinate CA Operator, Subordinate CA Certificate, Externally Operated Subordinate CA, and Internally Operated Subordinate CA.
• It would revise revocation rules for Subordinate CA Certificates, including a requirement that the Issuing CA revoke a Subordinate CA Certificate within seven days under specified conditions.
• It would update OCSP and revocation-status requirements, including support for OCSP using the GET method and revised rules for OCSP responses and signing certificates.
• It would revise key generation and key protection requirements for Root CA Certificates and Subordinate CA Certificates.
• It would update certificate profile requirements for Root CA Certificates, Subordinate CA Certificates, and Subscriber Certificates, including policy identifiers, key usage, authority information access, and name constraints.
• It would require that Subordinate CA Certificates issued after the Effective Date to Externally Operated Subordinate CAs include explicit policy identifiers and not contain anyPolicy, while Internally Operated Subordinate CA Certificates may use anyPolicy.
• It would require Root CA Operators to be responsible for the performance, warranties, liabilities, and indemnification obligations of their Externally Operated Subordinate CAs.

Procedure and dates

• Discussion period: 16 Feb. 2017 to 23 Feb. 2017
• Vote for approval: 23 Feb. 2017 to 2 Mar. 2017
• If approved, a Review Period would begin upon filing of the Review Notice by the Chair and last 30 days.
• The ballot states that if no Exclusion Notices are filed, the ballot becomes effective at the end of the Review Period.

Important applicability notes

• The proposed Section 7.1.6.3 distinguishes between:
  • Subordinate CA Certificates issued after the Effective Date to Externally Operated Subordinate CAs, which must include explicit policy identifiers and must not contain anyPolicy.
  • Subordinate CA Certificates issued after the Effective Date to Internally Operated Subordinate CAs, which may include reserved identifiers or CA-defined identifiers and may contain anyPolicy.
• The proposed Section 8.1 says CA Certificates must either be Technically Constrained and audited under Section 8.7 only, or be fully audited under Section 8.
• The proposed Section 8.7 adds quarterly monitoring and sampling requirements for Technically Constrained Externally Operated Subordinate CAs.