Cleanup 2025 #628
Open
Cleanup 2025 #628
+1,691
−1,543
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…to S/MIME language
Member
|
Based on discussion in the Validation Subcommittee today (Dec 11, 2025), #642 (#642) could be included in this cleanup. While there was consensus that this change is not necessary to enable the use of RDAP for the purposes of Section 3.2.2.14.1 in the EVGs (due to inherited definition of "WHOIS" from the TBRs), it was agreed that adding clarity would help avoid potential confusion in the future. |
Contributor
Author
Fixed with 6bfbe3a |
…e references section should also be updated.
aarongable
reviewed
Dec 18, 2025
docs/BR.md
Outdated
Comment on lines
163
to
171
| | 2024-03-15 | [4.9.7](#497-crl-issuance-frequency) | CAs MUST generate and publish CRLs. | | ||
| | 2024-09-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-01-15 | [4.9.9](#499-on-line-revocationstatus-checking-availability) | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | | ||
| | 2025-01-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on HTTPS websites to identify Domain Contact information. CAs MUST rely on IANA resources for identifying Domain Contact information. | | ||
| | 2025-03-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-03-15 | [8.7](#87-self-audits) | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | | ||
| | 2025-03-15 | [3.2.2.9](#3229-multi-perspective-issuance-corroboration) | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | | ||
| | 2025-07-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on Methods 3.2.2.4.2 and 3.2.2.4.15 to issue Subscriber Certificates. | | ||
| | 2025-12-01 | [5.7.1.2](#5712-mass-revocation-plans) | CAs SHALL assert in section 5.7.1 of their CPS or combined CP/CPS their mass revocation plan, testing, and continuous improvements. | |
Contributor
There was a problem hiding this comment.
If we're cleaning up old effective dates, why aren't we cleaning up these ones? What's special about the beginning of 2024 that we're keeping dates after then?
Especially the second item (SHOULD implement Linting) whose corresponding sentence has already been deleted from the body of section 4.3.1.2.
There was a problem hiding this comment.
I removed dates before 2025-01-01, as agreed during the meeting.
| - if using the Registry Data Access Protocol ([RFC 7482](https://datatracker.ietf.org/doc/html/rfc7482)), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. | ||
| - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. | ||
|
|
||
| Effective 2025-07-15: |
Contributor
There was a problem hiding this comment.
Why are we preserving the text of this method at all? It cannot be used, and its validation data cannot be reused, so it is now fully irrelevant. This ballot should replace this whole section with
This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates.
and the corresponding Relevant Dates can be removed from the table in Section 1.2.2.
There was a problem hiding this comment.
The convention has been to retain the method until all certs issued using the method have expired.
There was a problem hiding this comment.
I understand that no changes are needed.
| @@ -881,16 +843,17 @@ Confirming the Applicant's control over the FQDN by validating the Applicant is | |||
|
|
|||
| **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. | |||
|
|
|||
| Effective January 15, 2025: | |||
| Effective 2025-01-15: | |||
Contributor
There was a problem hiding this comment.
Why are we preserving this effective date? This line should be removed, and the bullet points below it should be promoted to standalone paragraphs.
There was a problem hiding this comment.
If we are keeping references dated after 2025-01-01, should this one and others below remain, or did that rule apply only to the Relevant Dates table?
| - if using the Registry Data Access Protocol ([RFC 7482](https://datatracker.ietf.org/doc/html/rfc7482)), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. | ||
| - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. | ||
|
|
||
| Effective 2025-07-15: |
Contributor
There was a problem hiding this comment.
Why are we preserving the text of this method at all? It cannot be used, and its validation data cannot be reused, so it is now fully irrelevant. This ballot should replace this whole section with
This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates.
and the corresponding Relevant Dates can be removed from the table in Section 1.2.2.
Comment on lines
+1358
to
1360
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2). | ||
|
|
||
| Effective 2025-03-15, the CA SHALL implement such a Linting process. |
Contributor
There was a problem hiding this comment.
Why did we delete one of these effective dates but not the other? It's time to just integrate the requirement into the paragraph.
Suggested change
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2). | |
| Effective 2025-03-15, the CA SHALL implement such a Linting process. | |
| Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, the CA MUST implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by [RFC 6962, Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2).``` |
|
|
||
| OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. The CA MAY process the Nonce extension (`1.3.6.1.5.5.7.48.1.2`) in accordance with RFC 8954. | ||
| OCSP responders operated by the CA SHALL support the HTTP GET method, as described in [RFC 6960](https://datatracker.ietf.org/doc/html/rfc6960) and/or [RFC 5019](https://datatracker.ietf.org/doc/html/rfc5019). The CA MAY process the Nonce extension (1.3.6.1.5.5.7.48.1.2) in accordance with [RFC 8954](https://datatracker.ietf.org/doc/html/rfc8954). | ||
|
|
||
| For the status of a Subscriber Certificate or its corresponding Precertificate: | ||
|
|
||
| - Effective 2025-01-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. |
Contributor
There was a problem hiding this comment.
Suggested change
| - Effective 2025-01-15, an authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. | |
| - An authoritative OCSP response MUST be available (i.e. the responder MUST NOT respond with the "unknown" status) starting no more than 15 minutes after the Certificate or Precertificate is first published or otherwise made available. |
| @@ -1955,21 +1939,21 @@ The business continuity plan MUST include: | |||
|
|
|||
| #### 5.7.1.2 Mass Revocation Plans | |||
|
|
|||
| CA organizations MUST have a mass revocation plan, and as of December 1, 2025, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |||
| CA organizations MUST have a mass revocation plan, and as of 2025-12-01, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |||
Contributor
There was a problem hiding this comment.
Suggested change
| CA organizations MUST have a mass revocation plan, and as of 2025-12-01, they SHALL assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. | |
| CA organizations MUST have a mass revocation plan, and they MUST assert in section 5.7.1 of their CPS or combined CP/CPS that they maintain a comprehensive and actionable plan for mass revocation events, that they perform annual testing of the mass revocation plan, and that they incorporate lessons learned into such plan in order to continually improve their preparedness for mass revocation events over time. |
docs/BR.md
Outdated
| 1. In the case of Debian weak keys vulnerability (https://wiki.debian.org/SSLkeys), the CA SHALL reject all keys found at https://github.com/cabforum/Debian-weak-keys/ for each key type (e.g. RSA, ECDSA) and size listed in the repository. For all other keys meeting the requirements of [Section 6.1.5](#615-key-sizes), with the exception of RSA key sizes greater than 8192 bits, the CA SHALL reject Debian weak keys. | ||
| 2. In the case of ROCA vulnerability, the CA SHALL reject keys identified by the tools available at https://github.com/crocs-muni/roca or equivalent. | ||
| 3. In the case of Close Primes vulnerability (https://fermatattack.secvuln.info/), the CA SHALL reject weak keys which can be factored within 100 rounds using Fermat’s factorization method. | ||
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after 2024-11-15, at least the following precautions SHALL be implemented: |
Contributor
There was a problem hiding this comment.
Suggested change
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after 2024-11-15, at least the following precautions SHALL be implemented: | |
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. At least the following precautions SHALL be implemented: |
srdavidson
reviewed
Dec 29, 2025
|
|
||
| Effective July 15, 2025: | ||
| - The CA MUST NOT rely on this method. | ||
| - Prior validations using this method and validation data gathered according to this method MUST NOT be used to issue Subscriber Certificates. | ||
|
|
||
| ##### 3.2.2.4.3 Phone Contact with Domain Contact | ||
|
|
||
| This method has been retired and MUST NOT be used. Prior validations using this method and validation data gathered according to this method SHALL NOT be used to issue certificates. |
There was a problem hiding this comment.
"certificates" -> "Certificates"
This capitalization varies even from the para before.
There is inconsistency in capitalization of Defined Terms throughout the text.
There was a problem hiding this comment.
@srdavidson the phrase "Subscriber Certificate*" appears 64 times with a capital "C" and only once with a lowercase "c"- in section 7.1.2.7.11.
The word "Certificate*" with a capital "C" appears 882 times in the document, while with a lowercase "c" it appears 209 times.
If we want to set broader rules for capitalization, it would be good to create a separate issue for that and include that in a future cleanup.
docs/BR.md
Outdated
|
|
||
| **WHOIS**: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in RFC 3912, the Registry Data Access Protocol defined in RFC 7482, or an HTTPS website. | ||
| **WHOIS**: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in [RFC 3912](https://datatracker.ietf.org/doc/html/rfc3912), the Registry Data Access Protocol defined in [RFC 9082](https://datatracker.ietf.org/doc/html/rfc9082), or an HTTPS website. |
There was a problem hiding this comment.
This should not be in a cleanup as this changes normative requirements from what was in the old RFC to what is in the new RFC without review of the respective requirements and ensuing discussion.
Contributor
Author
There was a problem hiding this comment.
Good point. Until people have time to read the new RFC, let's use the older RFC.
There was a problem hiding this comment.
Changed back to old RFC 7482 for WHOIS
| @@ -924,20 +887,22 @@ The Random Value SHALL remain valid for use in a confirming response for no more | |||
|
|
|||
| **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. | |||
|
|
|||
| Effective January 15, 2025: | |||
| Effective 2025-01-15: | |||
There was a problem hiding this comment.
See Aaron's comment about continuing to include past effective dates. This should also simply be removed.
docs/BR.md
Outdated
|
|
||
| **WHOIS**: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in RFC 3912, the Registry Data Access Protocol defined in RFC 7482, or an HTTPS website. | ||
| **WHOIS**: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in [RFC 3912](https://datatracker.ietf.org/doc/html/rfc3912), the Registry Data Access Protocol defined in [RFC 9082](https://datatracker.ietf.org/doc/html/rfc9082), or an HTTPS website. |
There was a problem hiding this comment.
Changed back to old RFC 7482 for WHOIS
docs/BR.md
Outdated
Comment on lines
163
to
171
| | 2024-03-15 | [4.9.7](#497-crl-issuance-frequency) | CAs MUST generate and publish CRLs. | | ||
| | 2024-09-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHOULD implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-01-15 | [4.9.9](#499-on-line-revocationstatus-checking-availability) | Subscriber Certificate OCSP responses MUST be available 15 minutes after issuance. | | ||
| | 2025-01-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on HTTPS websites to identify Domain Contact information. CAs MUST rely on IANA resources for identifying Domain Contact information. | | ||
| | 2025-03-15 | [4.3.1.2](#4312-linting-of-to-be-signed-certificate-content) | The CA SHALL implement a Linting process to test the technical conformity of the to-be-issued Certificate with these Requirements. | | ||
| | 2025-03-15 | [8.7](#87-self-audits) | The CA SHOULD use a Linting process to test the technical accuracy of already issued Certificates against the sample set chosen for Self-Audits. | | ||
| | 2025-03-15 | [3.2.2.9](#3229-multi-perspective-issuance-corroboration) | CAs MUST corroborate the results of domain validation and CAA checks from multiple Network Perspectives where specified. | | ||
| | 2025-07-15 | [3.2.2.4](#3224-validation-of-domain-authorization-or-control) | CAs MUST NOT rely on Methods 3.2.2.4.2 and 3.2.2.4.15 to issue Subscriber Certificates. | | ||
| | 2025-12-01 | [5.7.1.2](#5712-mass-revocation-plans) | CAs SHALL assert in section 5.7.1 of their CPS or combined CP/CPS their mass revocation plan, testing, and continuous improvements. | |
There was a problem hiding this comment.
I removed dates before 2025-01-01, as agreed during the meeting.
| @@ -881,16 +843,17 @@ Confirming the Applicant's control over the FQDN by validating the Applicant is | |||
|
|
|||
| **Note**: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the Domain Labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names. | |||
|
|
|||
| Effective January 15, 2025: | |||
| Effective 2025-01-15: | |||
There was a problem hiding this comment.
If we are keeping references dated after 2025-01-01, should this one and others below remain, or did that rule apply only to the Relevant Dates table?
| - if using the Registry Data Access Protocol ([RFC 7482](https://datatracker.ietf.org/doc/html/rfc7482)), MUST utilize IANA's bootstrap file to identify and query the correct RDAP server for the domain. | ||
| - MUST NOT rely on cached 1) WHOIS server information that is more than 48 hours old, or 2) RDAP bootstrap data from IANA that is more than 48 hours old, to ensure that it relies upon up-to-date and accurate information. | ||
|
|
||
| Effective 2025-07-15: |
There was a problem hiding this comment.
I understand that no changes are needed.
docs/BR.md
Outdated
| 1. In the case of Debian weak keys vulnerability (https://wiki.debian.org/SSLkeys), the CA SHALL reject all keys found at https://github.com/cabforum/Debian-weak-keys/ for each key type (e.g. RSA, ECDSA) and size listed in the repository. For all other keys meeting the requirements of [Section 6.1.5](#615-key-sizes), with the exception of RSA key sizes greater than 8192 bits, the CA SHALL reject Debian weak keys. | ||
| 2. In the case of ROCA vulnerability, the CA SHALL reject keys identified by the tools available at https://github.com/crocs-muni/roca or equivalent. | ||
| 3. In the case of Close Primes vulnerability (https://fermatattack.secvuln.info/), the CA SHALL reject weak keys which can be factored within 100 rounds using Fermat’s factorization method. | ||
| 5. The Public Key corresponds to an industry-demonstrated weak Private Key. For requests submitted on or after 2024-11-15, at least the following precautions SHALL be implemented: |
| @@ -3587,21 +3560,21 @@ The following Certificate Policy identifiers are reserved for use by CAs as an o | |||
|
|
|||
| ## 7.2 CRL profile | |||
|
|
|||
| Prior to 2024‐03‐15, the CA SHALL issue CRLs in accordance with the profile specified in these Requirements or the profile specified in Version 1.8.7 of the Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates. Effective 2024‐03‐15, the CA SHALL issue CRLs in accordance with the profile specified in these Requirements. | |||
| Prior to 2024-03-15, the CA SHALL issue CRLs in accordance with the profile specified in these Requirements or the profile specified in Version 1.8.7 of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. Effective 2024-03-15, the CA SHALL issue CRLs in accordance with the profile specified in these Requirements. | |||
There was a problem hiding this comment.
Should we reduce this to: "The CA SHALL issue CRLs in accordance with the profile specified in these Requirements."?
| | --- | -- | ----- | | ||
| | `reasonCode` | * | When present (OID 2.5.29.21), MUST NOT be marked critical and MUST indicate the most appropriate reason for revocation of the Certificate. <br><br> MUST be present unless the CRL entry is for a Certificate not technically capable of causing issuance and either 1) the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023 or 2) the reason for revocation (i.e., reasonCode) is unspecified (0). <br><br>See the "CRLReasons" table for additional requirements. | | ||
| | `reasonCode` | * | When present (OID 2.5.29.21), MUST NOT be marked critical and MUST indicate the most appropriate reason for revocation of the Certificate.<br><br>MUST be present unless the CRL entry is for a Certificate not technically capable of causing issuance and either 1) the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to 2023-07-15 or 2) the reason for revocation (i.e., reasonCode) is unspecified (0).<br><br>See the "CRLReasons" table for additional requirements. | |
There was a problem hiding this comment.
Should we remove 2023 reference here?
| | --- | - | ------ | | ||
| | unspecified | 0 | Represented by the omission of a reasonCode. MUST be omitted if the CRL entry is for a Certificate not technically capable of causing issuance unless the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023. | ||
| | keyCompromise | 1 | Indicates that it is known or suspected that the Subscriber’s Private Key has been compromised. | | ||
| | unspecified | 0 | Represented by the omission of a reasonCode. MUST be omitted if the CRL entry is for a Certificate not technically capable of causing issuance unless the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to 2023-07-15. | |
There was a problem hiding this comment.
Should we remove 2023 reference here?
| | certificateHold | 6 | MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a `notBefore` on-or-after 2020-09-30. | ||
| | superseded | 4 | Indicates that the Certificate is being replaced because: the Subscriber has requested a new Certificate, the CA has reasonable evidence that the validation of domain authorization or control for any fully-qualified domain name or IP address in the Certificate should not be relied upon, or the CA has revoked the Certificate for compliance reasons such as the Certificate does not comply with these Baseline Requirements or the CA's CP or CPS. | | ||
| | cessationOfOperation | 5 | Indicates that the website with the Certificate is shut down prior to the expiration of the Certificate, or if the Subscriber no longer owns or controls the Domain Name in the Certificate prior to the expiration of the Certificate. | | ||
| | certificateHold | 6 | MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a `notBefore` on-or-after 2020-09-30. | |
There was a problem hiding this comment.
Should we remove 2020 reference here?
| | 2020-01-31 | [7.1.4.2.8](#71428-subject-organization-identifier-field) | If subject:organizationIdentifier is present, the CA/Browser Forum Organization Identifier Extension MUST be present | | ||
| | 2020-09-01 | [6.3.2](#632-certificate-operational-periods-and-key-pair-usage-periods) & [Appendix F](#appendix-f--unused) | Certificates issued MUST NOT have a Validity Period greater than 398 days. | | ||
| | 2020-10-01 | [3.2.2.1.3](#32213-disclosure-of-verification-sources) | Prior to using an Incorporating Agency or Registration Agency, the CA MUST ensure the agency has been publicly disclosed | | ||
| | 2022-09-01 | [7.1.4.2.7](#71427-subject-organizational-unit-name-field) | CAs MUST NOT include the organizationalUnitName field in the Subject | |
There was a problem hiding this comment.
Should we clean up this table as we did in the BR?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.