[cabfpub] Ballot 189 - Amend Section 6.1.7 of Baseline Requirements

Ryan Sleevi sleevi at google.com
Thu Mar 30 19:51:53 UTC 2017


On Thu, Mar 30, 2017 at 2:40 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:

> It removes the "e.g" that was causing the confusion. At least that was the
> outcome from the previous discussion. it-kp-timeStamping is not included in
> the specific exceptions (administrative role certificates, Internal CA
> operational device certificates)
>

Sure, I apologize that I wasn't clearer. I'm asking what was the goal of
changing

"Root CA Private Keys MUST NOT be used to sign Certificates except in the
following cases:"

to
"Private Keys corresponding to Root Certificates that participate in a
hierarchy that issues Certificates with an extKeyUsage extension that
includes the value id-kp-serverAuth [RFC5280] MUST NOT be used to sign
Certificates except in the following cases:"

And whether that was necessary. It sounds like removing the e.g. does
exactly what you want, so why the extra change above?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170330/513ca20a/attachment-0003.html>


More information about the Public mailing list