[cabfpub] Ballot 189 - Amend Section 6.1.7 of Baseline Requirements

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Mar 30 18:40:42 UTC 2017



On 30/3/2017 9:20 μμ, Ryan Sleevi wrote:
>
>
> On Thu, Mar 30, 2017 at 1:03 PM, Dimitris Zacharopoulos 
> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>
>
>     The intention is that it MUST NOT be permitted to directly sign a
>     id-kp-timeStamping certificate from such a Root. The reason behind
>     this is that only Roots that participate in a hierarchy that
>     eventually issues publicly trusted SSL certificates should have
>     this rule. Roots that participate in a hierarchy that does not
>     issue SSL end-entity certificates should not need to follow this
>     rule. Could you please offer some improvement language to make
>     this clearer?
>
>
> Thanks for clarifying the intent.
>
> I'm unsure what the issue is with the original wording, which I think 
> made that clear:
>
> "Root CA Private Keys MUST NOT be used to sign Certificates except in 
> the following cases:"
>
> Why doesn't that sufficiently address it? As I understand it, your 
> concern was related to whether id-kp-timeStamping relates to 
> "infrastructure" certificates, but that doesn't seem to have been 
> addressed/clarified in a way that would move closer to that goal, right?

It removes the "e.g" that was causing the confusion. At least that was 
the outcome from the previous discussion. it-kp-timeStamping is not 
included in the specific exceptions (administrative role certificates, 
Internal CA operational device certificates)

Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170330/e8ff69bb/attachment-0003.html>


More information about the Public mailing list