[cabf_validation] SRV Ballot

Jeremy Rowley jeremy.rowley at digicert.com
Thu Dec 1 08:45:12 MST 2016


This is the SRV ballot we discussed last week:



-- MOTION BEGINS -



Effective immediately, the follow changes are made to the Baseline
Requirements:



A)    Section 4.2.2 of the Baseline Requirements is replaced with “No
Stipulation”



B)    Add the following definition to Section 1.6.1:

Wildcard Domain Name: A Domain Name formed by prepending '*.' to a FQDN.



C)    Section 7.1.4.2.1 is amended as follows:

Certificate Field: extensions:subjectAltName

Required/Optional: Required

Contents: This extension MUST contain at least one entry. Each entry MUST be
either a dNSName containing the Fully‐Qualified Domain Name, Wildcard
Domain Name, or an iPAddress containing the IP address of a server, or an
otherName of type SRVName as defined in RFC4985. An entry MUST NOT be an
Internal name or Reserved IP Address. The CA MUST confirm the entry as
follows:

a)      For a Fully‐Qualified Domain Name or Wildcard Domain Name entry,
the CA MUST verify the entry in accordance with Section 3.2.2.4;

b)     For a SRVName entry, the CA MUST verify the Name portion of the entry
in accordance with Section 3.2.2.4; and

c)      For an IP address entry, the CA MUST verify the entry in accordance
with Section 3.2.2.5 or has been granted the right to use it by the Domain
Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are
permitted.

As exceptions to RFC5280 and X.509, dNSName entries MAY contain Wildcard
Domain Names. SRVName entries MUST NOT contain Wildcard Domain Names.

If a name constrained CA has a dNSName constraint but does not have a
constraint for SRVNames, the CA MUST NOT issue certificates containing
SRVNames.



As of the Effective Date of these Requirements, prior to the issuance of a
Certificate with a subjectAlternativeName extension or Subject commonName
field containing a Reserved IP Address or Internal Name, the CA SHALL notify
the Applicant that the use of such Certificates has been deprecated by the
CA / Browser Forum and that the practice will be eliminated by October 2016.
Also as of the Effective Date, the CAs SHALL NOT issue a certificate with an
Expiry Date later than 1 November 2015 with a subjectAlternativeName
extension or Subject commonName field containing a Reserved IP Address or
Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired
Certificates whose subjectAlternativeName extension or Subject commonName
field contains a Reserved IP Address or Internal Name. Effective May 1,
2015, each CA SHALL revoke all unexpired Certificates with an Internal Name
using onion as the right‐most label in an entry in the subjectAltName
Extension or commonName field unless such Certificate was issued in
accordance with Appendix F of the EV Guidelines.



---- END BALLOT ----







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161201/e6946f5d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SRV Name Proposal.pdf
Type: application/pdf
Size: 151908 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20161201/e6946f5d/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20161201/e6946f5d/attachment-0001.bin>


More information about the Validation mailing list