<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 30/3/2017 10:51 μμ, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvb61UMQ4-VRSOYZD7UhH4R2XK=kCq-x95Cfv7aY5j91og@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 30, 2017 at 2:40 PM,
Dimitris Zacharopoulos <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:jimmy@it.auth.gr"
target="_blank">jimmy@it.auth.gr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>
<div class="gmail-h5"><span
style="color:rgb(34,34,34)">It removes the "e.g"
that was causing the confusion. At least that was
the outcome from the previous discussion.
it-kp-timeStamping is not included in the specific
exceptions (administrative role certificates,
Internal CA operational device certificates)</span></div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Sure, I apologize that I wasn't clearer. I'm asking
what was the goal of changing</div>
<div><br>
</div>
<div>"<span style="font-size:12.8px">Root CA Private Keys
MUST NOT be used to sign Certificates except in the
following cases:"</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">to</span></div>
<div><span style="font-size:12.8px">"</span><span
style="font-size:12.8px">Private Keys corresponding to
Root Certificates that participate in a hierarchy that
issues Certificates with an extKeyUsage extension that
includes the value id-kp-serverAuth [RFC5280] MUST NOT
be used to sign Certificates except in the following
cases:"</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">And whether that was
necessary. It sounds like removing the e.g. does exactly
what you want, so why the extra change above?</span></div>
</div>
<br>
</div>
</div>
</blockquote>
<br>
The reason for this language was to have a clear scope on which Root
CA Certificates are affected by this rule.<br>
<br>
For example, if there is a Root CA Certificate that is in a
hierarchy that does not issue SSL Certificates (say it is enabled by
Root programs only for id-kp-emailProtection or id-kp-codeSigning),
it might be possible to issue timestamping certificates directly
from these Roots. I don't have any strong feelings about this so we
could remove the long sentence. How about:<br>
<p class="line874">"Private Keys corresponding to Root Certificates
MUST NOT be used to sign Certificates except in the following
cases: <span class="anchor" id="line-37"></span><span
class="anchor" id="line-38"></span></p>
<ol type="1">
<li>Self-signed Certificates to represent the Root CA itself; <span
class="anchor" id="line-39"></span></li>
<li>Certificates for Subordinate CAs and Cross Certificates; <span
class="anchor" id="line-40"></span></li>
<li>Certificates for infrastructure purposes (administrative role
certificates, internal CA operational device certificates) <span
class="anchor" id="line-41"></span></li>
<li>Certificates for OCSP Response verification;"</li>
</ol>
Anyone who might object to this change?<br>
<br>
<br>
Dimitris.<br>
</body>
</html>