<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 30/3/2017 9:20 μμ, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvaGz-4EeFvo_eZQLOj73mr-cXrytzazenPa8uGHUrf-Ww@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 30, 2017 at 1:03 PM,
Dimitris Zacharopoulos <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:jimmy@it.auth.gr"
target="_blank">jimmy@it.auth.gr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-"><br>
</span> The intention is that it MUST NOT be permitted
to directly sign a id-kp-timeStamping certificate from
such a Root. The reason behind this is that only Roots
that participate in a hierarchy that eventually issues
publicly trusted SSL certificates should have this rule.
Roots that participate in a hierarchy that does not
issue SSL end-entity certificates should not need to
follow this rule. Could you please offer some
improvement language to make this clearer?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Thanks for clarifying the intent.</div>
<div><br>
</div>
<div>I'm unsure what the issue is with the original wording,
which I think made that clear:</div>
<div><br>
</div>
<div>"Root CA Private Keys MUST NOT be used to sign
Certificates except in the following cases:"</div>
<div><br>
</div>
<div>Why doesn't that sufficiently address it? As I
understand it, your concern was related to whether
id-kp-timeStamping relates to "infrastructure"
certificates, but that doesn't seem to have been
addressed/clarified in a way that would move closer to
that goal, right?</div>
</div>
</div>
</div>
</blockquote>
<br>
It removes the "e.g" that was causing the confusion. At least that
was the outcome from the previous discussion. it-kp-timeStamping is
not included in the specific exceptions (administrative role
certificates, Internal CA operational device certificates)<br>
<br>
Dimitris.<br>
</body>
</html>