[cabfpub] Ballot 189 - Amend Section 6.1.7 of Baseline Requirements

Ryan Sleevi sleevi at google.com
Thu Mar 30 18:20:35 UTC 2017


On Thu, Mar 30, 2017 at 1:03 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:

>
> The intention is that it MUST NOT be permitted to directly sign a
> id-kp-timeStamping certificate from such a Root. The reason behind this is
> that only Roots that participate in a hierarchy that eventually issues
> publicly trusted SSL certificates should have this rule. Roots that
> participate in a hierarchy that does not issue SSL end-entity certificates
> should not need to follow this rule. Could you please offer some
> improvement language to make this clearer?
>

Thanks for clarifying the intent.

I'm unsure what the issue is with the original wording, which I think made
that clear:

"Root CA Private Keys MUST NOT be used to sign Certificates except in the
following cases:"

Why doesn't that sufficiently address it? As I understand it, your concern
was related to whether id-kp-timeStamping relates to "infrastructure"
certificates, but that doesn't seem to have been addressed/clarified in a
way that would move closer to that goal, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170330/330303e4/attachment-0003.html>


More information about the Public mailing list