[cabfpub] Ballot 167 - Baseline Requirements Corrections
Peter Bowen
pzb at amzn.com
Wed Apr 6 16:40:51 MST 2016
> On Apr 6, 2016, at 3:17 PM, Ryan Sleevi <sleevi at google.com> wrote:
>
> On Wed, Apr 6, 2016 at 2:57 PM, Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>> wrote:
>
> Append " - Subscriber Certificates" to the the title of section 7.1.4.2.
>
> Apologies for missing this during the first discussion, could you explain the motivation for this change? This seems to substantially change the obligations regarding the construction of subordinate CA certificates, and so it's helpful to understand the context.
This change is to address https://bugzilla.cabforum.org/show_bug.cgi?id=31 <https://bugzilla.cabforum.org/show_bug.cgi?id=31>, which is one of the bugs Gerv listed in the prior thread.
7.1.4.3 is already "Subject Information – Subordinate CA Certificates”, so I was following the same heading format.
7.1.4.2 says the subject alternative name extension is required and the "extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server”. Clearly this is incorrect for CA certificates.
7.1.2.1/7.1.2.2 call out the requirement for validation of organizationName for CA certificates. I admit that BR structure here is a little weird — very similar requirements are applied to different types of certificates in 7.1.2 and 7.1.4. It would probably be better to call out validation requirements in one place. However that is starting to feel like its own ballot as it is going to take some careful thought on how to make it work correctly.
Would you prefer we drop the change to the heading on 7.1.4.2?
Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160406/b6cca23f/attachment.html
More information about the Public
mailing list