[cabf_validation] Ballot Proposal: Validation Method in certificatePolicies

Wayne Thayer wthayer at mozilla.com
Sat Jun 23 17:22:51 MST 2018


Thanks for the feedback Ryan. I think the new extension is cleaner and
would like to propose that approach. Are you comfortable defining the
syntax of the new extension in a new sub (g) of section 7.1.2.3 - roughly
as follows?

g.   cabf-BRValidationMethod (2.23.140.1.11) (required on or after April 1,
2019)

This extension contains a list of one or more OIDs that assert every
distinct method performed by the CA to validate domain control or ownership
of each FQDN contained in the certificate's subjectAlternativeName.

These OIDs representing validation methods SHALL be defined as follows:
* 2.23.140.1.2.4. concatenated with the subsection number of section
3.2.2.4 corresponding to the domain validation method that was used to
validate one or more subjectAlternativeNames in this certificate (e.g.
2.23.140.1.2.4.2'); or,
* 2.23.140.1.2.5 concatenated with the subsection number of section 3.2.2.5
corresponding to the IP address validation method that was used to validate
one or more subjectAlternativeNames in the certificate (e.g.
'2.23.140.1.2.5.1').

OIDs representing validation methods MUST be encoded in this extension as
follows:

cabf-BRValidationMethod OBJECT IDENTIFIER ::= { 2.23.140.1.NN }

BRValidationMethodSyntax ::=

SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER

}

If this is headed in the right direction, I'll update the ballot proposal
on GitHub.

- Wayne

On Sat, Jun 9, 2018 at 4:19 PM Ryan Sleevi <sleevi at google.com> wrote:

>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180623/5932d681/attachment.html>


More information about the Validation mailing list