[cabfpub] Ballot 189 - Amend Section 6.1.7 of Baseline Requirements
Dimitris Zacharopoulos
jimmy at it.auth.gr
Thu Mar 30 18:40:42 UTC 2017
On 30/3/2017 9:20 μμ, Ryan Sleevi wrote:
>
>
> On Thu, Mar 30, 2017 at 1:03 PM, Dimitris Zacharopoulos
> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>
>
> The intention is that it MUST NOT be permitted to directly sign a
> id-kp-timeStamping certificate from such a Root. The reason behind
> this is that only Roots that participate in a hierarchy that
> eventually issues publicly trusted SSL certificates should have
> this rule. Roots that participate in a hierarchy that does not
> issue SSL end-entity certificates should not need to follow this
> rule. Could you please offer some improvement language to make
> this clearer?
>
>
> Thanks for clarifying the intent.
>
> I'm unsure what the issue is with the original wording, which I think
> made that clear:
>
> "Root CA Private Keys MUST NOT be used to sign Certificates except in
> the following cases:"
>
> Why doesn't that sufficiently address it? As I understand it, your
> concern was related to whether id-kp-timeStamping relates to
> "infrastructure" certificates, but that doesn't seem to have been
> addressed/clarified in a way that would move closer to that goal, right?
It removes the "e.g" that was causing the confusion. At least that was
the outcome from the previous discussion. it-kp-timeStamping is not
included in the specific exceptions (administrative role certificates,
Internal CA operational device certificates)
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170330/e8ff69bb/attachment-0003.html>
More information about the Public
mailing list