diff --git a/docs/BR.md b/docs/BR.md index 3edd10e4..81e29c2c 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,11 +1,11 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.1.9 +subtitle: Version 2.2.0 author: - CA/Browser Forum -date: 10-November-2025 +date: 15-December-2025 copyright: | Copyright 2025 CA/Browser Forum @@ -153,6 +153,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.1.7 | SC089 | Mass Revocation Planning | 23-Jul-2025 | 25-Aug-2025 | | 2.1.8 | SC092 | Sunset Precertificate Signing CAs | 03-Oct-2025 | 04-Nov-2025 | | 2.1.9 | SC088 | DNS TXT Record with Persistent Value DCV Method | 09-Oct-2025 | 10-Nov-2025 | +| 2.2.0 | SC086 | Sunset the Inclusion of Address and Routing Parameter Area Names | 2025-11-13 | 2026-12-15 | \* Effective Date and Additionally Relevant Compliance Date(s) @@ -217,6 +218,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2026-03-15 | 3.2.2.8.1 | DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective. | | 2026-03-15 | 3.2.2.8.1 | CAs MUST NOT use local policy to disable DNSSEC validation on any DNS query associated CAA record lookups. | | 2026-03-15 | 3.2.2.8.1 | DNSSEC-validation errors observed by the Primary Network Perspective (e.g., SERVFAIL) MUST NOT be treated as permission to issue. | +| 2026-03-15 | 4.2.2 | CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix. | | 2026-03-15 | 4.2.1 | Subject Identity Information validation maximum data reuse period is 398 days. | | 2026-03-15 | 4.2.1 | Domain Name and IP Address validation maximum data reuse period is 200 days. | | 2026-03-15 | 6.3.2 | Maximum validity period of Subscriber Certificates is 200 days. | @@ -397,7 +399,7 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **High Risk Certificate Request**: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may include names at higher risk for phishing or other fraudulent usage, names contained in previously rejected certificate requests or revoked Certificates, names listed on the Miller Smiles phishing list or the Google Safe Browsing list, or names that the CA identifies using its own risk-mitigation criteria. -**Internal Name**: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA's Root Zone Database. +**Internal Name**: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top-Level Domain registered in IANA's Root Zone Database. **IP Address**: A 32-bit or 128-bit number assigned to a device that uses the Internet Protocol for communication. @@ -405,6 +407,8 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S **IP Address Registration Authority**: The Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC). +**IP Reverse Zone Suffix**: One of the two FQDNs that consist of the Domain Labels "in-addr.arpa" or "ip6.arpa". These two FQDNs serve as the root of the IP version 4 and IP version 6 reverse mapping space. "in-addr.arpa" is the root of the IP version 4 reverse mapping space and "ip6.arpa" is the root of the IP version 6 reverse mapping space. + **Issuing CA**: In relation to a particular Certificate, the CA that issued the Certificate. This could be either a Root CA or a Subordinate CA. **Key Compromise**: A Private Key is said to be compromised if its value has been disclosed to an unauthorized person, or an unauthorized person has had access to it. @@ -532,6 +536,8 @@ The script outputs: **Test Certificate**: This term is no longer used in these Baseline Requirements. +**Top-Level Domain**: From RFC 8499 (https://tools.ietf.org/html/rfc8499): "A Top-Level Domain is a zone that is one layer below the root, such as "com" or "jp"." + **Trustworthy System**: Computer hardware, software, and procedures that are: reasonably secure from intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and enforce the applicable security policy. **Unregistered Domain Name**: A Domain Name that is not a Registered Domain Name. @@ -1364,7 +1370,9 @@ If a Delegated Third Party fulfills any of the CA's obligations under this secti ### 4.2.2 Approval or rejection of certificate applications -CAs SHALL NOT issue certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). +CAs SHALL NOT issue Certificates containing Internal Names or Reserved IP Addresses, as such names cannot be validated according to [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or [Section 3.2.2.5](#3225-authentication-for-an-ip-address). + +Effective 2026-03-15, CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix. ### 4.2.3 Time to process certificate applications @@ -2906,7 +2914,7 @@ Table: `GeneralName` within a `subjectAltName` extension | --- | -- | ----- | | `otherName` | N | - | | `rfc822Name` | N | - | -| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | +| `dNSName` | Y | The entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with [Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control). Wildcard Domain Names MUST be validated for consistency with [Section 3.2.2.6](#3226-wildcard-domain-validation). The entry MUST NOT contain an Internal Name. Effective 2026-03-15, the entry MUST NOT contain a Domain Name that ends in an IP Address Reverse Zone Suffix. The Fully-Qualified Domain Name or the FQDN portion of the Wildcard Domain Name contained in the entry MUST be composed entirely of P-Labels or Non-Reserved LDH Labels joined together by a U+002E FULL STOP (".") character. The zero-length Domain Label representing the root zone of the Internet Domain Name System MUST NOT be included (e.g. "example.com" MUST be encoded as "example.com" and MUST NOT be encoded as "example.com."). | | `x400Address` | N | - | | `directoryName` | N | - | | `ediPartyName` | N | - |