[cabf_validation] Pre-Ballot Registration Agencies / Incorporating Agencies

Doug Beattie doug.beattie at globalsign.com
Thu May 14 12:31:53 MST 2020


Ryan,

 

I posted a couple of comments in GitHub, but wanted to provide them here as well for those that may not be following this thread.

 

I’m OK with providing a list of Registration Agencies / Incorporating Agencies by name, but this ballot also requires CAs to define and document (in the list of disclosed Agencies) all of the following information:

 

1.	The accepted values for the `subject:jurisdictionLocalityName` (OID: 1.3.6.1.4.1.311.60.2.1.1), `subject:jurisdictionStateOrProvinceName` (OID: 1.3.6.1.4.1.311.60.2.1.2), and `subject:jursidictionCountryName` (OID: 1.3.6.1.4.1.311.60.2.1.3) fields when a certificate is issued using information from that Incorporating Agency or Registration Agency, indicating the jurisidction(s) that the Agency is appropriate for; and,

 

2.	The accepted or allowed form or syntax of the Registration Number used by the Incorporating Agency or Registration Agency, if known; and,

 

This is going well beyond providing a list and we need to postpone that until a much future update, especially #2 if that involves analyzing the syntax and keeping that up to date when it changes.  I’d suggest we postpone these until the second phase you identified, by then maybe zlint checks could be established to enforce compliance and auditing based on #1 and 2 above.

 

 

 

 

From: Validation <validation-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Validation
Sent: Thursday, May 14, 2020 1:00 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [cabf_validation] Pre-Ballot Registration Agencies / Incorporating Agencies

 

Based on the feedback from the last call, I've tried to update https://github.com/sleevi/cabforum-docs/pull/11 <https://github.com/sleevi/cabforum-docs/pull/11/files>  with everything that was raised, and I think that it's ready to look for co-endorsers for a formal ballot. If there are concerns, happy to hear them on list or on GitHub and see if we can't address them.

 

The specific changes that I incorporated can be viewed at https://github.com/sleevi/cabforum-docs/pull/11/commits/2080fdfeb2a3c6af1576247e7ff4ae02344513e0 

 

* Section 8.2 is more related to Certificate Policy OIDs. While disclosure requirements within the CP/CPS are captured here, instead move the disclosure of information sources closer to the verification process, since disclosure is required prior to use within verification

* There was concern that '24x7 availability' is at odds with a light touch approach that would permit disclosure via source control repositories (e.g. GitHub, GitLab) or online document services (e.g. Microsoft Office 365, Google G Suite). "readily accessible" is sufficient to indicate it must have more uptime than downtime

* Shift from 1 September to 1 October. This ensures "at least" three months, factoring in discussion, voting, and IP review, while avoiding any holiday freezes.

* Clarify that CAs only need to declare the sources they use, rather than any source they evaluate. CAs still need to disclose prior to use, and thus benefit from disclosing more early, but this does not require disclosure of every source evaluated, including those that are never used.

* Address default-deny concerns by making it clear that it's a minimum, not a maximum, for disclosure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200514/8ab9f356/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5688 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20200514/8ab9f356/attachment.p7s>


More information about the Validation mailing list