[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Tim Hollebeek tim.hollebeek at digicert.com
Tue Aug 14 13:35:36 MST 2018

Once the number of validation methods exceed a certain level, BIT STRING is no longer the most compact.


I was actually quite fond of the proposal before I realized that.  But in reality, the vast majority of certificates are going to have a single integer, and the validation numbers will grow with time due to versioning, even if we don’t add new methods and only improve them …




From: Ryan Sleevi <sleevi at google.com> 
Sent: Tuesday, August 14, 2018 3:31 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>
Cc: Wayne Thayer <wthayer at mozilla.com>; Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies



On Tue, Aug 14, 2018 at 2:49 PM Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote:

Ok, so the speculation about my motivations are completely ridiculous and I’m not going to address them.  Suffice it to say neither of your speculations is even remotely close to correct.


I'm sorry you feel I was speculating about your motives. Can you highlight where I did, and where I was wrong? I'm providing and citing the arguments and concerns you've raised, and solely discussing that. I think, to the extent anything in the Forum can be productive, understanding your base set of concerns is going to be key to finding a solution that works for you. If you believe my understanding of your concerns is incorrect, I hope you can highlight it.


I will say, thinking about it more, I think BIT STRING is optimizing for the wrong case.  I think large numbers of validation methods in a particular certificate will be vanishingly rare, so I think in the long term, just a sequence of integers is probably both easier to use, and more compact, since the number of elements will be strongly peaked at one. 


I'm not sure I understand this concern. The stated argument for BIT STRING is because it ensures no ambiguity with the "one and exactly one instance of a validation method" being present - that is, the issue Doug raised with SET and SEQUENCE. Further, it addresses the concerns you raised previously with RELATIVE OID (which appeared to be a deal breaker for you, given you stated DigiCert would vote against other approaches), namely, the size concern. This is clearly the most compact form of representing the information, in which additional methods cost only a single bit of information, rather than the three bytes that would be needed for an INTEGER (tag, length, and value).


As I said, the inability to understand your set of concerns, and the seemingly shifting and incompatible nature of them, is making it hard to find a solution that you find acceptable, which is very much my goal - both now and going forward.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180814/d7fd2185/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180814/d7fd2185/attachment.p7s>

More information about the Validation mailing list