[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Wayne Thayer wthayer at mozilla.com
Thu Aug 9 13:53:31 MST 2018

Redirecting this discussion back to my proposal...

I understand Tim's position to be that CAs should have the choice of
encoding this data as relative OIDs, even if it is difficult for the CA to
do that and causes all sorts of compatibility issues in client software.
For certificate consumers that value size above all else, the benefits may
outweigh the risks.

I think this approach builds a footgun into the BRs because the odds are
high that some CAs will get it wrong (encode relative OID as OID -->
misissuance) and some clients will fail to parse data that is properly
encoded as a relative OID.

What are the objections to encoding the validation method number(s) as a
sequence of integers? This at least results in a smaller certificate that
is unlikely to cause compatibility problems. I would, of course, propose a
mechanism for expressing IP Address validation methods uniquely.

On Thu, Aug 9, 2018 at 11:10 AM Ryan Sleevi via Validation <
validation at cabforum.org> wrote:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180809/f86d0d6c/attachment.html>

More information about the Validation mailing list