[cabfpub] Proposed Ballot 184 - Allowing 822 Names and (limited) otherNames

Jeremy Rowley jeremy.rowley at digicert.com
Tue Jan 10 17:30:23 UTC 2017 

I can live with the criticality change. As mentioned, I really don't think
this is a difference between the two groups as the reasons behind the
deviation from 5280 are identical. 

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Scott Rea via
Public
Sent: Monday, January 9, 2017 11:20 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>; Rob
Stradling <rob.stradling at comodo.com>
Cc: Scott Rea <scott at scottrea.com>
Subject: Re: [cabfpub] Proposed Ballot 184 - Allowing 822 Names and
(limited) otherNames

G'day folks,

For the record, I am comfortable with all of Jeremy's proposal with one
caveat - I agree with Ryan/Rob/others etc that we should be looking to bring
the BRs back into compliance with RFC5280 or rather RFC6818 which is the
latest update to 5280 I believe.

I don't necessarily agree that the right path to achieving this is to
mandate that WFA needs to join CABF so they can be represented in the
discussion - that is entirely up to their community to decide if they want
to, or perhaps CABF can invite them if it desires.

Right now we have a consideration from an existing member who has given us
reasons for why they are asking for a change. All the changes look fine to
me with the exception of the potential to run afoul of the RFC which was
only temporarily relaxed for practicality reasons.

Jeremy, if you can live without the criticality portion of the proposal,
then the rest of the proposal should not provide any barriers from my
perspective.

CABF has been clear about the temporary nature of that relaxation and the
desire to re-adjust that when it practically can. That timetable should be
based on Apples efforts for compliance with the RFCs and no consideration
should be given whatsoever to WFA since they are not a part of this
community.

And yes, even though DigiCert is a member of the community, we put them on
notice with any accepted change that the current relaxation has a short
lifetime and after a certain date, it will be ratified with RFC
recommendation. Jeremy can then choose to issue his dual certs today with
the foreknowledge of their likely limited acceptance, or he can go back to
WFA and petition them to change their profiles (we don't really care, but he
did say that WFA made their decision on criticality for much the same reason
CABF did, which if this is the case, then I think the two trust communities
are actually aligned on this so this should be a non-issue)

Regards,
_Scott

On 1/10/2017 3:36 AM, Kirk Hall via Public wrote:
> Everyone - please make sure your Subject line for this topic says 
> "Ballot 184" (Jeremy's new ballot number, adopted a couple of days 
> ago).  Ballot 183 is the voting rules draft that Virginia is working on.
> 
>  
> 
> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of 
> *Geoff Keating via Public
> *Sent:* Monday, January 9, 2017 2:24 PM
> *To:* Rob Stradling <rob.stradling at comodo.com>
> *Cc:* Geoff Keating <geoffk at apple.com>; CA/Browser Forum Public 
> Discussion List <public at cabforum.org>
> *Subject:* Re: [cabfpub] Proposed Ballot 183 - Allowing 822 Names and
> (limited) otherNames
> 
>  
> 
> 
> 
>     On Jan 9, 2017, at 1:10 PM, Rob Stradling <rob.stradling at comodo.com
>     <mailto:rob.stradling at comodo.com>> wrote:
> 
>     On 09/01/17 17:39, Rich Smith via Public wrote:
>     <snip>
> 
>         Scenario:
>         We ignore this and Ryan's arguments against, and we pass this
>         proposal.
>         Next month we decide that the various browsers all now have enough
>         support for critical name constraints to update the BRs to MUST,
but
>         because it will break your newly authorized dual-use certs
>         Digicert is
>         now arguing against bringing the BRs back into full compliance
>         w/RFC5280.
> 
> 
>     Geoff,
> 
>     Would you (or anyone else from Apple) be able to provide CABForum
>     with data on the % of currently deployed Apple devices that support
>     critical name constraints?
> 
> 
> Sure, although of course only public data.  We have this page:
> 
> https://developer.apple.com/support/app-store/
> 
> which shows that "76% of devices are using iOS 10" and an additional 
> 18% using iOS 9, as of January 4, for a total of 94% supporting name 
> constraints.  For macOS, I don't believe Apple publishes numbers, but 
> there's public data here:
> 
>  
> 
> http://netmarketshare.com/operating-system-market-share.aspx?qprid=10&
> qpcustomd=0
> 
>  
> 
> which if you strip out the non-macOS systems, looks like this:
> 
>  
> 
>  
> 
> for 68% of devices running macOS 10.12 or OS X 10.11 in December 2017, 
> and so supporting name constraints.  (I won't endorse the accuracy of 
> the netmarketshare numbers, but they explain their methodology and so 
> you can form your own opinion.)
> 
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 

--
Scott Rea, MSc, CISSP
Ph# (801) 874-4114
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170110/118d4ae7/attachment-0001.p7s>

More information about the Public mailing list