[cabfpub] NameConstraints, PKIX and CABF
tim.moses at entrust.com
Fri Jun 1 15:54:28 UTC 2012
Hi everyone. I spoke to Stephen Farrell and Sean Turner (the IETF area directors for security) today. We discussed finding the proper way for IETF to interact with the community represented by CABForum, prompted by the recent discussions on how to set the criticality flag for the nameConstraints extension.
Sean said that, in order to change RFC 5280, there would have to be demonstrable consensus. It seems clear that we aren't going to see that condition satisfied, either for this or (quite frankly) pretty much any other topic. So, we should forget about changing RFC 5280.
However, Stephen suggested that the browser/public-CA community could introduce an individual submission to the PKIX working group explaining how it uses 5280. Violating provisions of 5280 would be perfectly acceptable under this approach. But, it would be good to include the justification. This simply puts it on record how this particular community is using 5280.
Stephen suggested that we wait until we have gained some experience with the non-critical setting of the nameContraints criticality flag, as it seems entirely possible that we'll run into some unanticipated issues.
Sean and Stephen further suggested that (in the longer term) we consider forming a working group within the Operations and Management Area of IETF. This is the vehicle used to record how practitioners are ACTUALLY using IETF specifications. Sometimes their documents strictly profile RFCs and sometimes they record non-conformant practices.
Maybe this would duplicate some parts of our existing process for documenting requirements. But, it is surely worth considering.
All this (of course) depends on the outcome of Ballot 75.
All the best. Tim.
T: +1 613 270 3183
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public