[cabfpub] Ballot 167 - Baseline Requirements Corrections

Ryan Sleevi sleevi at google.com
Thu Apr 7 08:52:38 UTC 2016


On Thu, Apr 7, 2016 at 12:55 AM, Ryan Sleevi <sleevi at google.com> wrote:

>
> On Apr 7, 2016 12:45 AM, "Dimitris Zacharopoulos" <jimmy at it.auth.gr>
> wrote:
> >
> > On 7/4/2016 10:30 πμ, Ryan Sleevi wrote:
> >>
> >> Dimitris,
> >>
> >> Your changes are actually quite opposite of what I was suggesting, and
> is even more problematic to support.
> >>
> >> I think the best step would be to simply drop that item from this
> ballot, and then I can work with Peter to see if we can propose a suitable
> text that provides the same degree of clarification, while addresses the
> concerns I raised.
> >>
> >> To be explicit: I do not want to see 7.1.4.2 deleted.
> >
> >
> > Hello Ryan,
> >
> > You mentioned:
> >
> >
> > "
> > - Let's work up a ballot that:
> >   - Moves the remarks about "required/optional" for subject names (which
> is only relevant to subscriber certificates) into a new 7.1.2.3 (g) [thus
> mirroring 7.1.2.1 [e] and 7.1.2.2 [h])
> >   - Moves the remarks about "required/optional" for subjectAltNames to a
> new 7.1.2.3 [h]
> > "
> >
> > I don't think I did the opposite. Perhaps I did not follow your entire
> line of thought. Anyway, at least I discovered some incorrect references
> which should be resolved a soon as possible.
> >
>
> You moved the entire section, rather than the required/optional, which
> introduced the very loophole I was concerned about introducing - namely,
> that it limits the validation procedures for optional nametypes to
> subscriber certificates.
>
> The overarching goal is to separate out validation procedures for
> obtaining information (aka the 3.2.2 sections), how that information is to
> be used / when that information needs to be used (aka 7.1.4.2), and when
> such information is required to appear in an actual certificate (the
> profiles of 7.1.2.1/.2/.3)
>
> Alternatively stated a third way, the goal being that 7.1.2.[1-3] covers
> the profile, but just makes reference to the name types and whether they're
> required or optional •but says nothing about what information must appear
> in that type•, 7.1.4.2 covers what is acceptable to appear in that name
> type, and applies to ANY certificate that contains that name type, as well
> as what vetting sections to use, and 3.2.2.* covers the actual procedures
> to use to vet that information.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160407/73675f4b/attachment-0003.html>


More information about the Public mailing list