[cabfpub] Baseline Requirements Issues List

Ryan A. Koski rkoski at godaddy.com
Tue Jan 29 21:47:18 UTC 2013


I noticed the other day that there are multiple places where we cross-reference a different section of the BR, and the section reference is incorrect.  Most likely we haven't been that diligent to review those when sections were added/deleted/moved.  I haven't had time yet to go through and find them all, but if you want to add another Issue to this list and assign it to me, I'll try to produce a complete list.

--
Ryan Koski
Enterprise Architect
GoDaddy.com, LLC


On Jan 29, 2013, at 1:06 PM, Ben Wilson wrote:

> All,
> Here is an updated Baseline Requirements Issues list.  I will put this on the wiki, too.
> Ben
>  
> #
> Assigned
> Section
> Comment
> Source
> Recv'd
> Status
> Notes
> 1
> Gerv Markham
> 14.2 Delegation of functions & compliance obligations
> Better audit criteria are needed for sub CAs and RAs that are not operated directly by the CA.
> Several
> Open item prior to v. 1.0
> Need to review Mozilla’s rules for Sub CAs and RAs, which will provide guidance.
> Issue 27 (All trusted entities must be audited) was merged into this Issue. 
>  
> This should be re-assigned to someone outside of Mozilla.
> 4
> Jeremy Rowley
> 16 Data Security
> Issuance approvals should require an out-of-band confirmation step.
> Several
> Open item prior to v. 1.0
> Need to discuss proposal to the right in “Notes”
> Modify point 7 of 11.1.1 and point 4 of 11.1.2 to include stipulation that “any other procedure” must be “out-of-bands” and define or use other guidance for CAs and auditors.
> 7
> Ben Wilson
> B Certificate Extensions
> AIA for OCSP must be present.  OCSP Stapling is not an exception to AIA for OCSP
> Yngve
> 29 Sep 2011
> Email circulated by Ben on 23-Jan-2013.
> Appendix B Certificate Extensions
> Proposal is to make OCSP MUST for End Entity Certificates.
> 14
> Ryan Hurst
> 9 Certificate Content & Profiles
> Consider making policy identifiers mandatory
> Tim
> 29 Sep 2011
> Suspended pending further discussion
> See Ballot 69
> https://www.cabforum.org/wiki/Ballots
> 15
> Rick Andrews
> (see notes)
> 9 Certificate Content & Profiles
> Implications of RFC6125 (BR issue 16 has been merged into this for *.gTLD,)
> Brad Hill
> 29 Sep 2011
> Two issues emerged IDNs and gTLDs.  These two issues were removed from Ballot 92 and two new ballots are being reworked.
> See:https://www.cabforum.org/wiki/Section%209_2_1
> Brad Hill, Jeremy Rowley, Robin Alden, Steve Roylance, and Rick Andrews should be collaborating on a ballot for gTLDs.
> Rick Andrews is also working with Geoff Keating and Brad Hill on the IDN issue / ballot.
> 18
> Phill Hallam-Baker
> 11 Validation Practices
> CAA records – RFC 6844
> Phill
> 29 Sep 2011
> Phill is working on a ballot.
> RFC 6844 has been published. 
> 24
> Jeremy Rowley
> B Certificate Extensions
> Currently, any PKIX extension is permitted.  Consider banning extensions other than those explicitly allowed
> Brad Hill
> 29 Sep 2011
> Earlier proposal needs to be re-visited and updated.
> Problem if certificate contains an uncommon parameter that hides data for collision attack.
>  
> See Ballot 68 …
> https://www.cabforum.org/wiki/Ballots
> 29.  
> Steve Roylance
> 9.2.1 Subject Alternative Name Extension
> The first and third paragraphs are contradictory
> Bruce Morton
> Bruce Morton email 9 April 2012
> Bruce’s comment from 9-Apr-2012 needs to be reviewed to determine status.
> Ballot 92 failed (but issue remains open until closed). 
> 30.  
> Ryan Hurst
> 12.Certificate Issuance by a Root CA
> OCSP Response verification Certificate unclear
> Yngve
> Ryan Hurst email 12 April 2012
> Steve Roylance reviewing for ballot.
>  
> Change item 3 to read: “Certificates for infrastructure purposes (e.g. administrative role certificates, internal CA operational device certificates, and OCSP Responder Certificates);” motion and two endorsers needed.
> 32.
> Eddy Nigg
> 9.2.4 Subject Organization Name Field
> Representation of DBA
> Eddy Nigg
> Email to Tim - 4 July 2012
> To be worked on as part of BR – EV harmonization
> Adopt the same convention for DBA as that of the EV standard. 
> 33.
> Dean Coclin
> Title Pages
> No single place to view effective dates
> Yngve
> General Private communication
> Let’s assign this to the Audit Working Group
> We need a table in the front to guide CA’s and auditors on deadlines and effective dates that may be different from the document as a whole and tie those into audit effective dates integration, etc. (maybe ordered by date?) 
> 34.
> Joe Kaluzny
> Definition of FQDN
> The term FQDN is used inconsistently.  FQDN is used sometimes where it should really say “registerable domain name / domain name space” or “registered domain name / domain namespace” or
> Wells Fargo
> Private communication
> 17-Jan-2013
> New item
> FQDN is something that is in a routing table.  A registerable domain name is a namespace that can be registered under the auspices of ICANN. 
> 35.
> Joe Kaluzny
> Sections 11.2.1
> and 14.2.
> Third party database language prevents Wells Fargo from using business database to perform domain checks
> Joe Kaluzny
> Private communication
> 17-Jan-2013
> New item – Joe is working on a draft ballot.
> Acceptable methods of validating ownership of domain rights and confirming identity of applicants who are corporate affiliates.   This is related to Closed BR Issue #17 (“Improve the definition of a suitable third-party database”).
>  
>  
>  
>  
> <BRv1.1IssuesListv.12.pdf>_______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130129/c7c50afd/attachment-0003.html>


More information about the Public mailing list