[cabf_validation] Fwd: Draft Minutes from Today's call of 2020-05-21

Ben Wilson bwilson at mozilla.com
Thu May 21 11:40:31 MST 2020

Draft Minutes of Validation Subcommittee of the Server Certificate Working

Date: May 21, 2020

Present: Ben Wilson, Wayne Thayer, Tim Hollebeek, Andrea Holland, Aneta
Wojtczak-Iwanicka, Bruce Morton, Clint Wilson, Corey Bonnell, Daniela Hood,
Janet Hines, Luis Cervantes, Niko Carpenter, Patrick Nohe, Wendy Brown,
Trev White Ponds, Taconis Lewis, Stephen Davidson, Rich Smith

Antitrust statement:  Read by Tim

Minutes: Prior minutes have been circulated by Ryan.

Agenda: Review Certificate Profiles and no other business.


The group opened up the Google Documents – Certificate Profiles Spreadsheet

Reviewed BR Section – basic constraints.  It looked fine. For key
usage for Root Certificates, there was a question on whether “any other
value” on root certificate keyUsage should be “prohibited”. The group
decided to conduct research and survey what has been allowed and/or
asserted previously in root certificates.

Reviewed the certificatePolicies for subordinate CAs (line 28 of
spreadsheet) – BRs say “should not” be marked critical.

Noted that comments on line 30 come from the BR section

Noted that policyQualifier and subfields – are optional.

Information for cRL DP discussed.

Column Q (source of requirement) information needs to be filled in by

Line 43 – Any other distribution point – should be permitted (e.g. for LDAP
distribution) – Wayne said that for the Web PKI it might not be used.  Maybe
we should say that more are permitted. Stephen Davidson noted that over 300
CAs have LDAP as a CRL Distribution. We added comments re: RFC5280 and HTTP

Row 30 - Looked at whether BR (Certificate Policies extension for
subscriber certificates). Also, in row 30, BR section carves out
differences on whether the anyPolicy OID can be used for non-affiliate CAs,
it should be referenced in the profiles table.

Row 46 (AIAs) we noted that Column P alludes to the possibility that AIA
might not be optional if the Browser Root program requirements ballot

It was noted that the Extensions tab in the spreadsheet has the additional

Wayne noted that CRL, OCSP, etc. need to be http. However, at least one CA
has used https for policyQualifier and asked whether that is allowed.  Rich
Smith noted that RFC 5280 allows the PKI to pick the method for the CPS
URI. The group discussed whether it should be allowed if it is not
forbidden. Clint argued that his interpretation of the current BRs is that
http is required. Robin argued that https is http over SSL. The group
thought that https might be required in the future. Notes were written in
cell P34 on the SubCA tab.

We ended at BR when we stopped.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200521/5365a03c/attachment.html>

More information about the Validation mailing list