[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Jeremy Rowley jeremy.rowley at digicert.com
Thu Aug 8 16:21:15 UTC 2013 

The change in the document below is that I added that the certificate must
contain either an Internal Server Name or a FQDN. The inconsistency remains
that some certs may be used for SSL without being covered by the BRs, but
the number of certificates potentially escaping BR governance is greatly
reduced.

Jeremy

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: Thursday, August 08, 2013 10:04 AM
To: 'Gervase Markham'
Cc: 'CABFPub'
Subject: Re: [cabfpub] Ballot 108: Clarifying the scope of the baseline
requirements

Yes - I am officially withdrawing the ballot pending further consideration.

I'm not sure how to overcome these obstacles since:
1) PIV-I in the US space requires the anyEKU
2) Qualified Certs may require no EKU
3) Certificates without an EKU or the anyEKU may be used as SSL certificates
4) All SSL certificates should be covered by the BRs
5) Qualified and PIV-I Certs cannot be covered by the BRs since they lack a
FQDN
6) SSL Certificates without an FQDN are considered local host and explicitly
covered by the BRs

I think the best option might be to simply acknowledge the inconsistency and
change the definition as follows:

"All root certificates included in a browser's trust store, all subordinate
CA certificates signed by one of these root certificates, and all end-entity
certificates that either lack any Extended Key Usage extension or contain an
Extended Key Usage extension that contain (i) either an Internal Server Name
or a FQDN and (ii) one of the following:
- Server Authentication (1.3.6.1.5.5.7.3.1)
- anyExtendedKeyUsage (2.5.29.37.0)
- Netscape Server Gated Cryptography (2.16.840.1.113730.4.1)
- Microsoft Server Gated Cryptography (1.3.6.1.4.1.311.10.3.3) are expressly
covered by these requirements."


Jeremy

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, August 08, 2013 9:20 AM
To: jeremy.rowley at digicert.com
Cc: 'CABFPub'
Subject: Re: [cabfpub] Ballot 108: Clarifying the scope of the baseline
requirements

On 02/08/13 12:19, Jeremy Rowley wrote:
> There is a potential conflict that I think needs more data and discussion:

We agree; hence Mozilla votes NO on the ballot in its current form.

We would like to see it withdrawn until further information can be gathered.
We very much support the goal of this ballot; we want the BRs to cover all
certs capable of being used by SSL servers. But we need to figure out
whether this requires a change in the definition of what the BRs cover, or a
change (e.g. on clients) in the definition of "capable of being used by SSL
servers". Or something else.

Gerv

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list