[cabf_validation] 5280 limitations

Tim Hollebeek THollebeek at trustwave.com
Fri Mar 31 12:45:41 MST 2017 

Perhaps we should have an EV/DV consistency ballot.  Another potential one to fix is that EV certificate lifetimes are limited to 27 months, not 825 days.  It might be worth fixing EV to be 825 days for consistency (and for all the other reasons the recent ballot used 825 days instead of 27 months).

-Tim

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Ben Wilson via Validation
Sent: Friday, March 31, 2017 3:42 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Ben Wilson <ben.wilson at digicert.com>
Subject: Re: [cabf_validation] 5280 limitations

Here is a PDF with redlining to show the potential changes.

Ben Wilson, JD, CISA, CISSP
VP Compliance
+1 801 701 9678
[cid:image002.jpg at 01D2AA35.D9164670]

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Ben Wilson via Validation
Sent: Friday, March 31, 2017 1:13 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Ben Wilson <ben.wilson at digicert.com<mailto:ben.wilson at digicert.com>>
Subject: Re: [cabf_validation] 5280 limitations


All,

I'm working on a draft ballot to remove the 64-character limitation (and to allow underscores in FQDNs).  One question that came up is how to handle Section 9.2.1 of the EV Guidelines (Subject Organization Name Field), which states, "If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with section 11.12.1 and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate."
Do I focus just on edits to the Baseline Requirements and let someone else raise this issue with potential EV Guidelines inconsistency?  Otherwise, I might suggest replacing the entirety of the text above with something simple like, "This field MAY contain up to 256 characters."

Thanks,

Ben

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim Hollebeek via Validation
Sent: Tuesday, March 21, 2017 8:49 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Tim Hollebeek <THollebeek at trustwave.com<mailto:THollebeek at trustwave.com>>
Subject: Re: [cabf_validation] 5280 limitations

I hate the arbitrary 64 character limit and would love to see PKIs move away from it.  It has bitten me in the rear so many times I've lost count.

-Tim

From: Validation <validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org>> on behalf of "validation at cabforum.org<mailto:validation at cabforum.org>" <validation at cabforum.org<mailto:validation at cabforum.org>>
Reply-To: "validation at cabforum.org<mailto:validation at cabforum.org>" <validation at cabforum.org<mailto:validation at cabforum.org>>
Date: Tuesday, March 21, 2017 at 10:28 AM
To: "validation at cabforum.org<mailto:validation at cabforum.org>" <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Peter Bowen <pzb at amzn.com<mailto:pzb at amzn.com>>
Subject: Re: [cabf_validation] 5280 limitations

No issues with browsers.

I would be happy to bring this up today.

On Mar 21, 2017, at 7:25 AM, Bruce Morton via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:

I would be concerned with failures with the browsers. Are there any current issues?

Thanks, Bruce.

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Validation
Sent: Tuesday, March 21, 2017 10:18 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Subject: [cabf_validation] 5280 limitations

Is there interest in creating an exception to 5280 for the following?


  1.  Use of underscore characters in host names
  2.  Limitation on subject fields to 64 characters

Jeremy

_______________________________________________
Validation mailing list
Validation at cabforum.org<mailto:Validation at cabforum.org>
https://cabforum.org/mailman/listinfo/validation<https://scanmail.trustwave.com/?c=4062&d=mrHe2ApeJbSyBVke7ykJqlFLgE5JpibrQrqAE8iAEQ&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fvalidation>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/ae6fedcb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 3361 bytes
Desc: image002.jpg
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/ae6fedcb/attachment-0001.jpg>

More information about the Validation mailing list