<div dir="ltr">That still seems exceptionally vague for wfa-hotspot-friendlyName. Could you tighten it up, or explain why it's ambiguous?<div><br></div><div>For example, if an individual member of the WiFi Alliance says "Yeah, that's OK", is that deemed appropriate?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 3, 2017 at 12:13 PM, Jeremy Rowley via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-3045134859279020391WordSection1"><p class="MsoNormal">Sure – I thought I’d keep it more general than that in case we wanted to include additional otherNames, but we can always address scenarios as they arise.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Assuming the otherName for WFA is non-controversial, we can combine the SRV ballot with this proposal:<u></u><u></u></p><span class=""><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><b>7.1.4.2.1. Subject Alternative Name Extension </b><u></u><u></u></p><p class="MsoNormal">Certificate Field: extensions:subjectAltName <u></u><u></u></p><p class="MsoNormal">Required/Optional: Required <u></u><u></u></p></span><p class="MsoNormal">Contents: This extension MUST contain at least one entry. Each entry MUST be <u>one of the following entries: 1) </u><s>either </s>a dNSName containing the Fully‐Qualified Domain Name<u> or a Wildcard Domain Name, 2) </u><s> or </s>an iPAddress containing the IP address of a server,<u>3) a rfc822Name containing an RFC 5322 email address, 4) an otherName with a id-wfa-hotspot-friendlyName type { 1.3.6.1.4.1.40808.1.1.1 } or 5) an otherName of type SRVName as defined in RFC4986. </u> <u>T</u>he CA MUST confirm <u>each entry as follows:<u></u><u></u></u></p><p class="m_-3045134859279020391MsoListParagraph"><u></u><span>A)<span style="font:7.0pt "Times New Roman""> </span></span><u></u><u>For each dNSName entry, the CA MUST verify the entry in accordance with Section 3.2.2.4;</u><u></u><u></u></p><p class="m_-3045134859279020391MsoListParagraph"><u></u><span>B)<span style="font:7.0pt "Times New Roman""> </span></span><u></u><u>For each SRVName entry, the CA MUST verify the Name portion of the entry in accordance with Section 3.2.2.4;</u><u></u><u></u></p><p class="m_-3045134859279020391MsoListParagraph"><u></u><span>C)<span style="font:7.0pt "Times New Roman""> </span></span><u></u><u>For each iPAddress entry, the CA MUST verify the entry in accordance with Section 3.2.2.5;</u><u></u><u></u></p><p class="m_-3045134859279020391MsoListParagraph"><u></u><span>D)<span style="font:7.0pt "Times New Roman""> </span></span><u></u><u>For each id-wfa-hotspot-friendlyName entry, the CA MUST verify the entry in accordance with the requirements deemed appropriate by the WiFi Alliance. </u><u></u><u></u></p><p class="MsoNormal"><u><u></u><span style="text-decoration:none"> </span><u></u></u></p><p class="MsoNormal"><u>As an exception to RFC5280 and X.509, dNSName entries MAY contain Wildcard Domain Names. SRVName entries MUST NOT contain Wildcard Domain Names. If a name constrained CA has a dNSNAme constrain but does not have a constraint for SRVNames, the CA MUST NOT issue certificates containing SRVNames.<u></u><u></u></u></p><p class="MsoNormal"><u><u></u><span style="text-decoration:none"> </span><u></u></u></p><p class="MsoNormal"><s> that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are permitted. <u></u><u></u></s></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u>For dNSNames, SRVNames, and iPAddress entries: <u></u><u></u></u></p><span class=""><p class="MsoNormal">As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name. Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an Internal Name using onion as the right‐most label in an entry in the subjectAltName Extension or commonName field unless such Certificate was issued in accordance with Appendix F of the EV Guidelines.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></span><p class="MsoNormal">Jeremy<u></u><u></u></p><p class="MsoNormal"><a name="m_-3045134859279020391__MailEndCompose"><u></u> <u></u></a></p><span></span><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> Peter Bowen [mailto:<a href="mailto:pzb@amzn.com" target="_blank">pzb@amzn.com</a>] <br><b>Sent:</b> Tuesday, January 3, 2017 11:07 AM<span class=""><br><b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Cc:</b> Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>><br></span><span class=""><b>Subject:</b> Re: [cabfpub] Proposed Ballot 183 - Allowing 822 Names and (limited) otherNames<u></u><u></u></span></p></div></div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">I think we should be more specific on the otherName requirements bit. Can it change to “for id-wfa-hotspot-<wbr>friendlyName, the CA MUST …”? (I’m not sure what specification is relevant here)<span style="font-size:12.0pt"><u></u><u></u></span></p></div><div><div class="h5"><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal">On Jan 3, 2017, at 8:35 AM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">This proposal modifies section 7.1.4.3.1. to permit inclusion of rfc822Names and the WFA otherName type. Here’s my draft ballot. Any thoughts?<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">Modify Section 7.1.4.2.1. as follows:<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"><b>7.1.4.2.1. Subject Alternative Name Extension </b><u></u><u></u></p><p class="MsoNormal">Certificate Field: extensions:subjectAltName <u></u><u></u></p><p class="MsoNormal">Required/Optional: Required <u></u><u></u></p><p class="MsoNormal">Contents: This extension MUST contain at least one entry. Each entry MUST be <u>one of the following entries: 1) </u><s>either </s>a dNSName containing the Fully‐Qualified Domain Name, <u>2) </u><s> or </s>an iPAddress containing the IP address of a server,<u>3) a rfc822Name containing an RFC 5322 email address, or 4) an otherName with the id-wfa-hotspot-friendlyName type where id-wfa-hotspot-friendlyName OBJECT IDENTIFIER ::= { 1.3.6.1.4.1.40808.1.1.1 }. </u> <u>For each dNSName and iPAddress included, </u>the CA MUST confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. <u>For each rfc822Name included, the CA MUST confirm the Applicant controls either the included email address or the domain portion of the email address. For permitted otherNames types, the CA MUST follow the requirements established by the entity specifying the otherName type. </u>Wildcard FQDNs are permitted. <u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name. Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an Internal Name using onion as the right‐most label in an entry in the subjectAltName Extension or commonName field unless such Certificate was issued in accordance with Appendix F of the EV Guidelines.<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p></div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><OtherName Ballot.pdf>___________________<wbr>____________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><u></u><u></u></span></p></div></blockquote></div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><u></u> <u></u></span></p></div></div></div></div><br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>