[cabf_validation] 5280 limitations

Jeremy Rowley jeremy.rowley at digicert.com
Fri Mar 31 13:20:01 MST 2017


Yes - let's have a separate consistency ballot after a few of these pass. 

 

I think we concentrate only on the BRs for now. One of the main suggestions
was that we list all of the exceptions to 5280 in one section. We can list
them in multiple locations, but we should include a complete list in the
section that incorporates 5280 by reference.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim
Hollebeek via Validation
Sent: Friday, March 31, 2017 1:46 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Tim Hollebeek <THollebeek at trustwave.com>
Subject: Re: [cabf_validation] 5280 limitations

 

Perhaps we should have an EV/DV consistency ballot.  Another potential one
to fix is that EV certificate lifetimes are limited to 27 months, not 825
days.  It might be worth fixing EV to be 825 days for consistency (and for
all the other reasons the recent ballot used 825 days instead of 27 months).

 

-Tim

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Ben
Wilson via Validation
Sent: Friday, March 31, 2017 3:42 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> >
Subject: Re: [cabf_validation] 5280 limitations

 

Here is a PDF with redlining to show the potential changes.

 

Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678



 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Ben
Wilson via Validation
Sent: Friday, March 31, 2017 1:13 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> >
Subject: Re: [cabf_validation] 5280 limitations

 

All,

I'm working on a draft ballot to remove the 64-character limitation (and to
allow underscores in FQDNs).  One question that came up is how to handle
Section 9.2.1 of the EV Guidelines (Subject Organization Name Field), which
states, "If the combination of names or the organization name by itself
exceeds 64 characters, the CA MAY abbreviate parts of the organization name,
and/or omit non-material words in the organization name in such a way that
the text in this field does not exceed the 64-character limit; provided that
the CA checks this field in accordance with section 11.12.1 and a Relying
Party will not be misled into thinking that they are dealing with a
different organization. In cases where this is not possible, the CA MUST NOT
issue the EV Certificate."

Do I focus just on edits to the Baseline Requirements and let someone else
raise this issue with potential EV Guidelines inconsistency?  Otherwise, I
might suggest replacing the entirety of the text above with something simple
like, "This field MAY contain up to 256 characters."

 

Thanks,

 

Ben

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim
Hollebeek via Validation
Sent: Tuesday, March 21, 2017 8:49 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Tim Hollebeek <THollebeek at trustwave.com
<mailto:THollebeek at trustwave.com> >
Subject: Re: [cabf_validation] 5280 limitations

 

I hate the arbitrary 64 character limit and would love to see PKIs move away
from it.  It has bitten me in the rear so many times I've lost count.

 

-Tim

 

From: Validation <validation-bounces at cabforum.org
<mailto:validation-bounces at cabforum.org> > on behalf of
"validation at cabforum.org <mailto:validation at cabforum.org> "
<validation at cabforum.org <mailto:validation at cabforum.org> >
Reply-To: "validation at cabforum.org <mailto:validation at cabforum.org> "
<validation at cabforum.org <mailto:validation at cabforum.org> >
Date: Tuesday, March 21, 2017 at 10:28 AM
To: "validation at cabforum.org <mailto:validation at cabforum.org> "
<validation at cabforum.org <mailto:validation at cabforum.org> >
Cc: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com> >
Subject: Re: [cabf_validation] 5280 limitations

 

No issues with browsers.   

 

I would be happy to bring this up today.

 

On Mar 21, 2017, at 7:25 AM, Bruce Morton via Validation
<validation at cabforum.org <mailto:validation at cabforum.org> > wrote:

 

I would be concerned with failures with the browsers. Are there any current
issues?

 

Thanks, Bruce.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Tuesday, March 21, 2017 10:18 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Subject: [cabf_validation] 5280 limitations

 

Is there interest in creating an exception to 5280 for the following?

 

1.	Use of underscore characters in host names
2.	Limitation on subject fields to 64 characters

 

Jeremy

 

_______________________________________________
Validation mailing list
Validation at cabforum.org <mailto:Validation at cabforum.org> 
https://cabforum.org/mailman/listinfo/validation
<https://scanmail.trustwave.com/?c=4062&d=mrHe2ApeJbSyBVke7ykJqlFLgE5JpibrQr
qAE8iAEQ&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fvalidatio
n> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/e2fb2ace/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5622 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/e2fb2ace/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/e2fb2ace/attachment-0001.bin>


More information about the Validation mailing list