<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.grey
{mso-style-name:grey;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I think we should have one OID extension and then a sequence and then context-specific strings that map to each validation method used – similar to what is done for SANs under RFC 5280. Similar to the SAN approach, you would identify what context-specific type of SAN (domain name or IP address) we are talking about. (I’m not suggesting that CAs would be required to have a matching method for each SAN in a certificate, they could still have just one, however they could if they wanted, or they could include multiple lines, without one-to-one mapping.)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>To illustrate, here is a clip from RFC 5280<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>SubjectAltName ::= GeneralNames<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>GeneralName ::= CHOICE {<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> otherName [0] AnotherName,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> rfc822Name [1] IA5String,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> dNSName [2] IA5String,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> x400Address [3] ORAddress,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> directoryName [4] Name,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> ediPartyName [5] EDIPartyName,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> uniformResourceIdentifier [6] IA5String,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> iPAddress [7] OCTET STRING,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> registeredID [8] OBJECT IDENTIFIER }<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m also not suggesting that this numbering from RFC 5280 be used.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ben <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Validation <validation-bounces@cabforum.org> <b>On Behalf Of </b>Tim Hollebeek via Validation<br><b>Sent:</b> Wednesday, August 15, 2018 11:40 AM<br><b>To:</b> Corey Bonnell <CBonnell@trustwave.com>; Wayne Thayer <wthayer@mozilla.com>; CA/Browser Forum Validation WG List <validation@cabforum.org><br><b>Subject:</b> Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I also like the separate extension because IP validated certificates are pretty rare. I think it’d be nicer not to muck up the 3.2.2.4 list with attempts to accommodate them.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Corey Bonnell <<a href="mailto:CBonnell@trustwave.com">CBonnell@trustwave.com</a>> <br><b>Sent:</b> Wednesday, August 15, 2018 12:48 PM<br><b>To:</b> Wayne Thayer <<a href="mailto:wthayer@mozilla.com">wthayer@mozilla.com</a>>; CA/Browser Forum Validation WG List <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>><br><b>Subject:</b> Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi Wayne,<o:p></o:p></p><p class=MsoNormal>Perhaps create another extension/OID to contain the BIT STRING of validation methods for IP addresses? Doing so would remove the need to have a special numbering scheme for IP address validation method numbers and would be straightforward to process.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Additionally, if a certificate contains only iPAddress SANs, it could omit the dNSName-specific extension entirely (likewise for a certificate that contains only dNSNames). Certificates that contain both dNSNames and iPAddress SANs are rare in practice, so there is no additional space overhead in the common case.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<br>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:#428FC5'>Corey Bonnell</span></b><span style='font-size:10.5pt;color:#428FC5'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:gray'>Senior Software Engineer</span><span style='font-size:10.5pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></p></div></div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:#428FC5'>Trustwave</span></b><b><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:gray'> </span></b><span style='font-size:10.5pt;font-family:"Arial",sans-serif;color:gray'>| SMART SECURITY ON DEMAND<a href="http://www.trustwave.com/"><span style='color:gray;text-decoration:none'><br>https://www.trustwave.com</span></a></span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Validation <<a href="mailto:validation-bounces@cabforum.org">validation-bounces@cabforum.org</a>> on behalf of Wayne Thayer via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>><br><b>Reply-To: </b>Wayne Thayer <<a href="mailto:wthayer@mozilla.com">wthayer@mozilla.com</a>>, CA/Browser Forum Validation WG List <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>><br><b>Date: </b>Wednesday, August 15, 2018 at 12:34 PM<br><b>To: </b>Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>, CA/Browser Forum Validation WG List <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>><br><b>Subject: </b>Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>To make the BIT STRING encoding work in a single extension, we should discuss how best to collapse domain and IP address validation methods into a single "namespace". It might be best to add explicit and unique numbering to all the domain + IP address methods as part of the ballot to remove the IP address "any other method". I'd like to avoid the need for a separate mapping table (e.g. bit position 17 signifies method 3.2.2.5.3).<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Wed, Aug 15, 2018 at 9:22 AM Tim Hollebeek via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Yeah, lots of people are going to make the same mistake I did if Method 6 is represented by bit 5 (not 6! I like my bit numbers to be zero based, so you can just do the power thing). Off by one errors are so much fun …<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>But again, I don’t think it’s a huge problem. Only technical people are staring at this stuff, and they’ll quickly learn which values correspond to which methods.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-Tim<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> <br><b>Sent:</b> Wednesday, August 15, 2018 11:32 AM<br><b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank">tim.hollebeek@digicert.com</a>><br><b>Cc:</b> Doug Beattie <<a href="mailto:doug.beattie@globalsign.com" target="_blank">doug.beattie@globalsign.com</a>>; Daymion T. Reynolds <<a href="mailto:dreynolds@godaddy.com" target="_blank">dreynolds@godaddy.com</a>>; CA/Browser Forum Validation WG List <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br><b>Subject:</b> Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Wed, Aug 15, 2018 at 9:24 AM Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank">tim.hollebeek@digicert.com</a>> wrote: <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Given that the number of 1 bits is likely low, I don’t think BIT STRING is that hard to read. It just means that you’re going to have to memorize that Method 6 is “64” instead of 6. It’s slightly tougher, but if you’re the sort of person who is capable of staring at raw ASN.1, I think you can cope.<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm not sure I understand your point about knowing that "Method 6 is 64".<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Method 6 is Bit 6.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Method 7 is Bit 7.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Method 139 is Bit 139.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>A certificate viewer that does not dive into constructed extensions would display the extension as its full hex (e.g. with the outer Tag and Length octets).<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>A certificate viewer that does dive into constructed extensions would display the inner value, typically in either base2 or base16 notation. In Base2 notation, it's 'easy' to count which bits are set. In Base16 notation, you can easily convert to Base2.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>A certificate viewer that explicitly knows about this extension can:<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> - Used named values for methods it recognizes - e.g. as a lookup table, same as OIDs)<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> - Alternatively, note the integer position itself for which bit was set - e.g. bit 1 = method 1, bit 2 = method 2 etc. - and display that as such<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>But regardless, you shouldn't expect to see "Method 6 is 64". You'd expect 32, at best, but more realistically, 0x20. :)<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal>_______________________________________________<br>Validation mailing list<br><a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br><a href="https://scanmail.trustwave.com/?c=4062&d=hdb021QJj1WGk3oW4iuneFftb6mTa86AK485jQ3E5A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fvalidation" target="_blank">https://cabforum.org/mailman/listinfo/validation</a><o:p></o:p></p></blockquote></div></div></div></body></html>