[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Tim Hollebeek tim.hollebeek at digicert.com
Fri Aug 10 20:10:12 MST 2018

I think this might be the best of both worlds, and I thank Wayne for proposing 


From: Wayne Thayer <wthayer at mozilla.com>
Sent: Thursday, August 9, 2018 1:54 PM
To: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Validation WG List 
<validation at cabforum.org>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>
Subject: Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation 
Method in certificatePolicies

Redirecting this discussion back to my proposal...

I understand Tim's position to be that CAs should have the choice of encoding 
this data as relative OIDs, even if it is difficult for the CA to do that and 
causes all sorts of compatibility issues in client software. For certificate 
consumers that value size above all else, the benefits may outweigh the risks.

I think this approach builds a footgun into the BRs because the odds are high 
that some CAs will get it wrong (encode relative OID as OID --> misissuance) 
and some clients will fail to parse data that is properly encoded as a 
relative OID.

What are the objections to encoding the validation method number(s) as a 
sequence of integers? This at least results in a smaller certificate that is 
unlikely to cause compatibility problems. I would, of course, propose a 
mechanism for expressing IP Address validation methods uniquely.

On Thu, Aug 9, 2018 at 11:10 AM Ryan Sleevi via Validation 
<validation at cabforum.org <mailto:validation at cabforum.org> > wrote:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180811/6649bf82/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180811/6649bf82/attachment.p7s>

More information about the Validation mailing list