[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Geoff Keating geoffk at apple.com
Fri Jul 26 19:36:55 UTC 2013


I would endorse the proposal with Ryan's improved wording.

On 26/07/2013, at 12:34 PM, Ryan Sleevi <sleevi at google.com> wrote:

> Jeremy,
> 
> If I might suggest a slight modification to the wording, which still
> leaves things a little ambiguous. "All root and intermediate
> certificates included in a browser's trust store" - AIUI, none of the
> browsers are really accepting intermediates to the trust store at this
> point.
> 
> This was a sticky point when working on Mozilla's wording on this
> policy to. Luckily, the terminology for "Root CA" and "Subordinate CA"
> may be sufficient here to help clarify.
> 
> "All root certificates included in a browser's trust store, all
> subordinate CA certificates signed by one of these root certificates,
> and all end-entity certificates that either lack any Extended Key
> Usage extension or contain an Extended Key Usage extension that
> contains one of the following:
> - Server Authentication (1.3.6.1.5.5.7.3.1)
> - anyExtendedKeyUsage (2.5.29.37.0)
> - Netscape Server Gated Cryptography (2.16.840.1.113730.4.1)
> - Microsoft Server Gated Cryptography (1.3.6.1.4.1.311.10.3.3)
> are expressly covered by these requirements."
> 
> Note that Appendix B, 3.F lists other values as SHOULD NOT. However,
> that presumably only applies when a certificate is 'in scope' of the
> BRs, hence the restatement of potential EKUs that are relevant.
> 
> 
> 
> On Fri, Jul 26, 2013 at 12:22 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
>> Hi everyone,
>> 
>> 
>> 
>> As mentioned on the phone call last week, CAs have claimed exemption from
>> the BRs because the definition of a publicly-trusted SSL certificate is not
>> clear.   I would like to clarify the scope of the BRs to avoid confusion on
>> what particular certificate contents are necessary to require compliance.  I
>> am looking for on endorser (Stephen Davidson has already endorsed).
>> 
>> 
>> 
>> The third paragraph of Section 1 of the baseline requirements is:
>> 
>> “This version of the Requirements only addresses Certificates intended to be
>> used for authenticating servers  accessible through the Internet. Similar
>> requirements for code signing, S/MIME, time-stamping, VoIP, IM, Web
>> services, etc. may be covered in future versions.”
>> 
>> 
>> 
>> I’d like to replace the above text with the following:
>> 
>> "This version of the Baseline Requirements addresses all root, intermediate,
>> and end entity certificates that can be used in publicly-trusted SSL
>> handshakes.  All root and intermediate certificates included in a browser’s
>> trust store and all end entity certificates containing an extended key usage
>> extension of Server Authentication (1.3.6.1.5.5.7.3.1) are expressly covered
>> by these requirements. Similar requirements for code signing, S/MIME,
>> time-stamping, VoIP, IM, Web services, etc. may be covered in future
>> versions."
>> 
>> 
>> 
>> I look forward to your comments.
>> 
>> 
>> 
>> Jeremy
>> 
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130726/955e84bb/attachment-0001.p7s>


More information about the Public mailing list