[cabfpub] SRV Ballot

Ryan Sleevi sleevi at google.com
Fri Jun 10 17:30:23 UTC 2016 

Jeremy,

I would be happy to support without the underscore modification. However,
so long as that remains, I'm afraid we'd need to vote against this.

On Fri, Jun 10, 2016 at 10:28 AM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Looking for two endorsers for the following ballot:
>
>
>
> The following motion has been proposed by Jeremy Rowley, from DigiCert,
> and endorsed by ____________________:
>
>
>
> -- MOTION BEGINS –
>
>
>
> Effective immediately, the follow changes are made to the Baseline
> Requirements:
>
>
>
> A)    Section 4.2.2 of the Baseline Requirements is replaced with “No
> Stipulation”
>
>
>
> B)    Add the following definition to Section 1.6.1:
>
> *Wildcard Domain Name: A Domain Name formed by prepending '*.' to a FQDN.*
>
>
>
> C)    Section 7.1.4.2.1 is amended as follows:
>
> *Certificate Field:* extensions:subjectAltName
>
> *Required/Optional:* Required
>
> *Contents:* This extension MUST contain at least one entry. Each entry
> MUST be either a dNSName containing the Fully‐Qualified Domain Name, *Wildcard
> Domain Name,* or an iPAddress containing the IP address of a server, *or
> an otherName of type SRVName as defined in RFC4985*. *An entry MUST NOT
> be an Internal name or Reserved IP Address.* The CA MUST confirm the
> entry as follows:
>
> a)      *For a* Fully‐Qualified Domain Name *or Wildcard Domain Name
> entry, the CA MUST verify the entry in accordance with Section 3.2.2.4;*
>
> b)     *For a SRVName entry, the CA MUST verify the Name portion of the
> entry in accordance with Section 3.2.2.4; and *
>
> c)      *For* an IP address entry, *the CA MUST verify the entry in
> accordance with Section 3.2.2.5* or has been granted the right to use it
> by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard
> FQDNs are permitted.
>
> *As exceptions to RFC5280 and X.509, dNSName entries MAY contain Wildcard
> Domain Names, and FQDNs and Wildcard Domain Names MAY contain the
> underscore character ("_") in any location where the hyphen character ("-")
> is allowed. SRVName entries MUST NOT contain Wildcard Domain Names.*
>
> *If a name constrained CA has a dNSName constraint but does not have a
> constraint for SRVNames, the CA MUST NOT issue certificates containing
> SRVNames.*
>
>
>
> As of the Effective Date of these Requirements, prior to the issuance of a
> Certificate with a subjectAlternativeName extension or Subject commonName
> field containing a Reserved IP Address or Internal Name, the CA SHALL
> notify the Applicant that the use of such Certificates has been deprecated
> by the CA / Browser Forum and that the practice will be eliminated by
> October 2016. Also as of the Effective Date, the CA*s* SHALL NOT issue a
> certificate with an Expiry Date later than 1 November 2015 with a
> subjectAlternativeName extension or Subject commonName field containing a
> Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL
> revoke all unexpired Certificates whose subjectAlternativeName extension or
> Subject commonName field contains a Reserved IP Address or Internal Name. Effective
> May 1, 2015, each CA SHALL revoke all unexpired Certificates with an
> Internal Name using onion as the right‐most label in an entry in the
> subjectAltName Extension or commonName field unless such Certificate was
> issued in accordance with Appendix F of the EV Guidelines.
>
>
>
> ---- END BALLOT ----
>
>
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160610/20759977/attachment-0003.html>

More information about the Public mailing list