[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jul 26 19:28:44 UTC 2013 

On 07/26/2013 10:22 PM, From Jeremy Rowley:
>
> Hi everyone,
>
> As mentioned on the phone call last week, CAs have claimed exemption 
> from the BRs because the definition of a publicly-trusted SSL 
> certificate is not clear.   I would like to clarify the scope of the 
> BRs to avoid confusion on what particular certificate contents are 
> necessary to require compliance.  I am looking for on endorser 
> (Stephen Davidson has already endorsed).
>
> The third paragraph of Section 1 of the baseline requirements is:
>
> “This version of the Requirements only addresses Certificates intended 
> to be used for authenticating servers  accessible through the 
> Internet. Similar requirements for code signing, S/MIME, 
> time-stamping, VoIP, IM, Web  services, etc. may be covered in future 
> versions.”
>
> I’d like to replace the above text with the following:
>
> "This version of the Baseline Requirements addresses all root, 
> intermediate, and end entity certificates that can be used in 
> publicly-trusted SSL handshakes.  All root and intermediate 
> certificates included in a browser’s trust store and all end entity 
> certificates containing an extended key usage extension of Server 
> Authentication (1.3.6.1.5.5.7.3.1) are expressly covered by these 
> requirements. Similar requirements for code signing, S/MIME, 
> time-stamping, VoIP, IM, Web services, etc. may be covered in future 
> versions."
>

I believe an end user certificate that contains NO EKU could be used for 
server authentication, hence it should be included as well.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130726/dd58cd99/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130726/dd58cd99/attachment-0001.p7s>

More information about the Public mailing list