[cabfpub] Ballot 103 - OCSP Staping and TLS Security Policy Extension

Robin Alden robin at comodo.com
Fri Sep 6 15:59:53 UTC 2013 

Hi Bruce,
	We'll withdraw that section about basicConstraints in subscriber
certificates from the ballot.

> (4) In Appendix B "(3) Subscriber Certificate" replace point D.
> basicConstraints (optional) with:
> 
> D. basicConstraints (optional)
> If present, this field MUST be marked critical, and the cA field MUST
> be set to false.
>

I think it probably deserves its own ballot.  When it appears in that
context, I'd like to see basicConstraints required instead of optional,
but am less fussy about the criticality.

Regards
Robin Alden
Comodo


> -----Original Message-----
> From: questions-bounces at cabforum.org [mailto:questions-
> bounces at cabforum.org] On Behalf Of Bruce Morton
> Sent: 05 September 2013 17:58
> To: ben at digicert.com; questions at cabforum.org
> Subject: Re: [cabfquest] [cabfpub] Ballot 103 - OCSP Staping and TLS
> Security Policy Extension
> 
> Ben,
> 
> The ballot requires for Subscriber Certificates that the optional OID
of
> basicConstraints be set to critical. I'm not sure why this optional
OID
> needs to be set at critical, but if it does then some CAs will have to
make
> a change. As such, I do not believe that the ballot should be
"EFFECTIVE
> IMMEDIATELY."
> 
> Just so we understand, can someone please advise why the
> basicConstraints OID needs to be set as critical for a Subscriber
> Certificate.
> 
> Thanks, Bruce.
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-
> bounces at cabforum.org] On Behalf Of Ben Wilson
> Sent: Wednesday, September 04, 2013 6:22 PM
> To: public at cabforum.org
> Subject: [cabfpub] Ballot 103 - OCSP Staping and TLS Security Policy
> Extension
> 
> Robin,
> If this draft is acceptable, then we would only be looking for one
more
> endorser.  Please let me know.
> Thanks,
> Ben
> 
> Ballot 103 - OCSP Stapling and TLS Security Policy Extension
> 
> Explanation - This motion is made to clarify and simplify language
about
> OCSP stapling and to promote the development and use of OCSP
> Stapling by allowing certificates to contain a TLS Security Policy
Extension.
> 
> Ben Wilson of DigiCert made the following motion, and Robin Alden from
> Comodo and ______ from _______ endorsed it:
> 
> Motion Begins
> 
> EFFECTIVE IMMEDIATELY, in order to clarify language in section 13.2.1
of
> the Baseline Requirements and in Appendix B concerning
> authorityInformationaccess (AIA), and allow use of the TLS Security
> Policy Extension, we propose the following amendments:
> 
> (1) Delete  the second paragraph of Section 13.2.1 "Mechanisms" so
that
> as amended the section will read as follows:
> 
> "13.2.1 Mechanisms
> 
> The CA SHALL make revocation information for Subordinate Certificates
> and Subscriber Certificates available in accordance with Appendix B."
> 
> (2) In Appendix B "(2) Subordinate CA Certificate" replace point C.
> authorityInformationAccess with:
> 
> C. authorityInformationAccess
> 
> This extension MUST be present. It MUST NOT be marked critical, and it
> MUST contain the HTTP URL of the Issuing CA's OCSP responder
> (accessMethod = 1.3.6.1.5.5.7.48.1).
> 
> For Certificates that are not issued by a Root CA, this extension
SHOULD
> contain the HTTP URL where a copy of the Issuing CA's certificate
> (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7
> online repository.
> 
> (3) In Appendix B "(3) Subscriber Certificate" replace point C.
> authorityInformationAccess with:
> 
>     C. authorityInformationAccess
> 
> This extension MUST be present. It MUST NOT be marked critical, and it
> MUST contain the HTTP URL of the Issuing CA's OCSP responder
> (accessMethod = 1.3.6.1.5.5.7.48.1).
> 
> This extension SHOULD contain the HTTP URL where a copy of the Issuing
> CA's certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded
> from a
> 24x7 online repository.
> 
> (4) In Appendix B "(3) Subscriber Certificate" replace point D.
> basicConstraints (optional) with:
> 
> D. basicConstraints (optional)
> If present, this field MUST be marked critical, and the cA field MUST
be
> set to false.
> 
> (5) In Appendix B "(3) Subscriber Certificate" after point F insert a
new
> point G (TLS Security Policy Extension) as follows:
> 
> G. TLS Security Policy Extension (optional)
> 
> Subscriber Certificates MAY contain the TLS Security Policy Extension
> [http://datatracker.ietf.org/doc/draft-hallambaker-tlssecuritypolicy/]
> advertising that the status_request feature of OCSP stapling is
available
> and supported by the Subscriber. If present, this field SHOULD NOT be
> marked critical.
> 
> =====Motion Ends=====
> _______________________________________________
> Questions mailing list
> Questions at cabforum.org
> https://cabforum.org/mailman/listinfo/questions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5246 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130906/e1892e46/attachment-0001.p7s>

More information about the Public mailing list