[cabfpub] Ballot 189 - Amend Section 6.1.7 of Baseline Requirements
Dimitris Zacharopoulos
jimmy at it.auth.gr
Thu Mar 30 20:10:12 UTC 2017
On 30/3/2017 10:51 μμ, Ryan Sleevi wrote:
>
> On Thu, Mar 30, 2017 at 2:40 PM, Dimitris Zacharopoulos
> <jimmy at it.auth.gr <mailto:jimmy at it.auth.gr>> wrote:
>
> It removes the "e.g" that was causing the confusion. At least that
> was the outcome from the previous discussion. it-kp-timeStamping
> is not included in the specific exceptions (administrative role
> certificates, Internal CA operational device certificates)
>
>
> Sure, I apologize that I wasn't clearer. I'm asking what was the goal
> of changing
>
> "Root CA Private Keys MUST NOT be used to sign Certificates except in
> the following cases:"
>
> to
> "Private Keys corresponding to Root Certificates that participate in a
> hierarchy that issues Certificates with an extKeyUsage extension that
> includes the value id-kp-serverAuth [RFC5280] MUST NOT be used to sign
> Certificates except in the following cases:"
>
> And whether that was necessary. It sounds like removing the e.g. does
> exactly what you want, so why the extra change above?
>
The reason for this language was to have a clear scope on which Root CA
Certificates are affected by this rule.
For example, if there is a Root CA Certificate that is in a hierarchy
that does not issue SSL Certificates (say it is enabled by Root programs
only for id-kp-emailProtection or id-kp-codeSigning), it might be
possible to issue timestamping certificates directly from these Roots. I
don't have any strong feelings about this so we could remove the long
sentence. How about:
"Private Keys corresponding to Root Certificates MUST NOT be used to
sign Certificates except in the following cases:
1. Self-signed Certificates to represent the Root CA itself;
2. Certificates for Subordinate CAs and Cross Certificates;
3. Certificates for infrastructure purposes (administrative role
certificates, internal CA operational device certificates)
4. Certificates for OCSP Response verification;"
Anyone who might object to this change?
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170330/a4e0d7a1/attachment-0003.html>
More information about the Public
mailing list