Cleanup 2025 #628
Open
Cleanup 2025 #628
+1,698
−1,540
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…to S/MIME language
Member
|
Based on discussion in the Validation Subcommittee today (Dec 11, 2025), #642 (#642) could be included in this cleanup. While there was consensus that this change is not necessary to enable the use of RDAP for the purposes of Section 3.2.2.14.1 in the EVGs (due to inherited definition of "WHOIS" from the TBRs), it was agreed that adding clarity would help avoid potential confusion in the future. |
Contributor
Author
Fixed with 6bfbe3a |
…e references section should also be updated.
aarongable
reviewed
Dec 18, 2025
Comment on lines
+163
to
+171
| | 2024-03-15 | [4.9.7](#497-crl-issuance-frequency) | CAs MUST generate and publish CRLs. | | ||
| | 2024-09-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-01-15 | [4.9.9](#499-on-line-revocationstatus-checking-availability) | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | | ||
| | 2025-01-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on HTTPS websites to identify Domain Contact information. CAs MUST rely on IANA resources for identifying Domain Contact information. | | ||
| | 2025-03-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-03-15 | [8.7](#87-self-audits) | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | | ||
| | 2025-03-15 | [3.2.2.9](#3229-multi-perspective-issuance-corroboration) | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | | ||
| | 2025-07-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on Methods 3.2.2.4.2 and 3.2.2.4.15 to issue Subscriber Certificates. | | ||
| | 2025-12-01 | [5.7.1.2](#5712-mass-revocation-plans) | CAs SHALL assert in section 5.7.1 of their CPS or combined CP/CPS their mass revocation plan, testing, and continuous improvements. | |
Contributor
There was a problem hiding this comment.
If we're cleaning up old effective dates, why aren't we cleaning up these ones? What's special about the beginning of 2024 that we're keeping dates after then?
Especially the second item (SHOULD implement Linting) whose corresponding sentence has already been deleted from the body of section 4.3.1.2.
| **Persistent DCV TXT Record:** A DNS TXT record identifying an Applicant in accordance with [Section 3.2.2.4.22](#322422-dns-txt-record-with-persistent-value). | ||
| **Persistent DCV TXT Record**: A DNS TXT record identifying an Applicant in accordance with [Section 3.2.2.4.22](#322422-dns-txt-record-with-persistent-value). | ||
|
|
||
| **Precertificate**: A Precertificate is a signed data structure that can be submitted to a Certificate Transparency log, as defined by [RFC 6962](https://datatracker.ietf.org/doc/html/rfc6962) and containing the critical poison extension (OID: 1.3.6.1.4.1.11129.2.4.3). |
Contributor
There was a problem hiding this comment.
nit: I don't think this colon is correct. By analogy, a sentence might say "Please deliver it to my hotel room (Number 212)"; it would sound halting and disjointed to say "Please deliver it to my hotel room (Number: 212)".
Suggested change
| **Precertificate**: A Precertificate is a signed data structure that can be submitted to a Certificate Transparency log, as defined by [RFC 6962](https://datatracker.ietf.org/doc/html/rfc6962) and containing the critical poison extension (OID: 1.3.6.1.4.1.11129.2.4.3). | |
| **Precertificate**: A Precertificate is a signed data structure that can be submitted to a Certificate Transparency log, as defined by [RFC 6962](https://datatracker.ietf.org/doc/html/rfc6962) and containing the critical poison extension (OID 1.3.6.1.4.1.11129.2.4.3). |
| - if using the Registry Data Access Protocol ([RFC 7482](https://datatracker.ietf.org/doc/html/rfc7482)), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. | ||
| - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. | ||
|
|
||
| Effective 2025-07-15: |
Contributor
There was a problem hiding this comment.
Why are we preserving the text of this method at all? It cannot be used, and its validation data cannot be reused, so it is now fully irrelevant. This ballot should replace this whole section with
This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates.
and the corresponding Relevant Dates can be removed from the table in Section 1.2.2.
There was a problem hiding this comment.
The convention has been to retain the method until all certs issued using the method have expired.
| @@ -881,16 +843,17 @@ Confirming the Applicant's control over the FQDN by validating the Applicant is | |||
|
|
|||
| **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. | |||
|
|
|||
| Effective January 15, 2025: | |||
| Effective 2025-01-15: | |||
Contributor
There was a problem hiding this comment.
Why are we preserving this effective date? This line should be removed, and the bullet points below it should be promoted to standalone paragraphs.
| - if using the Registry Data Access Protocol ([RFC 7482](https://datatracker.ietf.org/doc/html/rfc7482)), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. | ||
| - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. | ||
|
|
||
| Effective 2025-07-15: |
Contributor
There was a problem hiding this comment.
Why are we preserving the text of this method at all? It cannot be used, and its validation data cannot be reused, so it is now fully irrelevant. This ballot should replace this whole section with
This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates.
and the corresponding Relevant Dates can be removed from the table in Section 1.2.2.
Comment on lines
+1358
to
1360
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2). | ||
|
|
||
| Effective 2025-03-15, the CA SHALL implement such a Linting process. |
Contributor
There was a problem hiding this comment.
Why did we delete one of these effective dates but not the other? It's time to just integrate the requirement into the paragraph.
Suggested change
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2). | |
| Effective 2025-03-15, the CA SHALL implement such a Linting process. | |
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, the CA MUST implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2).``` |
| @@ -1518,7 +1493,7 @@ No stipulation. | |||
| No stipulation. | |||
|
|
|||
| ### 4.8.7 Notification of certificate issuance by the CA to other entities | |||
|
|
|||
| 2 | |||
Contributor
There was a problem hiding this comment.
Typo
Suggested change
| 2 |
|
|
||
| OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. The CA MAY process the Nonce extension (`1.3.6.1.5.5.7.48.1.2`) in accordance with RFC 8954. | ||
| OCSP responders operated by the CA SHALL support the HTTP GET method, as described in [RFC 6960](https://datatracker.ietf.org/doc/html/rfc6960) and/or [RFC 5019](https://datatracker.ietf.org/doc/html/rfc5019). The CA MAY process the Nonce extension (1.3.6.1.5.5.7.48.1.2) in accordance with [RFC 8954](https://datatracker.ietf.org/doc/html/rfc8954). | ||
|
|
||
| For the status of a Subscriber Certificate or its corresponding Precertificate: | ||
|
|
||
| - Effective 2025-01-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. |
Contributor
There was a problem hiding this comment.
Suggested change
| - Effective 2025-01-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. | |
| - An authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. |
| @@ -1955,21 +1939,21 @@ The business continuity plan MUST include: | |||
|
|
|||
| #### 5.7.1.2 Mass Revocation Plans | |||
|
|
|||
| CA organizations MUST have a mass revocation plan, and as of December 1, 2025, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |||
| CA organizations MUST have a mass revocation plan, and as of 2025-12-01, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |||
Contributor
There was a problem hiding this comment.
Suggested change
| CA organizations MUST have a mass revocation plan, and as of 2025-12-01, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |
| CA organizations MUST have a mass revocation plan, and they MUST assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. |
| 1. In the case of Debian weak keys vulnerability (https://wiki.debian.org/SSLkeys), the CA SHALL reject all keys found at https://github.com/cabforum/Debian-weak-keys/ for each key type (e.g. RSA, ECDSA) and size listed in the repository. For all other keys meeting the requirements of [Section 6.1.5](#615-key-sizes), with the exception of RSA key sizes greater than 8192 bits, the CA SHALL reject Debian weak keys. | ||
| 2. In the case of ROCA vulnerability, the CA SHALL reject keys identified by the tools available at https://github.com/crocs-muni/roca or equivalent. | ||
| 3. In the case of Close Primes vulnerability (https://fermatattack.secvuln.info/), the CA SHALL reject weak keys which can be factored within 100 rounds using Fermat’s factorization method. | ||
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after 2024-11-15, at least the following precautions SHALL be implemented: |
Contributor
There was a problem hiding this comment.
Suggested change
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after 2024-11-15, at least the following precautions SHALL be implemented: | |
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. At least the following precautions SHALL be implemented: |
srdavidson
reviewed
Dec 29, 2025
|
|
||
| Effective July 15, 2025: | ||
| - The CA MUST NOT rely on this method. | ||
| - Prior validations using this method and validation data gathered according to this method MUST NOT be used to issue Subscriber Certificates. | ||
|
|
||
| ##### 3.2.2.4.3 Phone Contact with Domain Contact | ||
|
|
||
| This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates. |
There was a problem hiding this comment.
"certificates" -> "Certificates"
This capitalization varies even from the para before.
There is inconsistency in capitalization of Defined Terms throughout the text.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.