[cabfpub] NameConstraints, PKIX and CABF

Ryan Hurst ryan.hurst at globalsign.com
Fri Jun 1 15:56:20 UTC 2012

I agree that such an approach makes sense, that is if the ballot passes.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Tim Moses
Sent: Friday, June 01, 2012 8:54 AM
Subject: [cabfpub] NameConstraints, PKIX and CABF


Hi everyone.  I spoke to Stephen Farrell and Sean Turner (the IETF area
directors for security) today.  We discussed finding the proper way for IETF
to interact with the community represented by CABForum, prompted by the
recent discussions on how to set the criticality flag for the
nameConstraints extension.


Sean said that, in order to change RFC 5280, there would have to be
demonstrable consensus.  It seems clear that we aren't going to see that
condition satisfied, either for this or (quite frankly) pretty much any
other topic.  So, we should forget about changing RFC 5280.


However, Stephen suggested that the browser/public-CA community could
introduce an individual submission to the PKIX working group explaining how
it uses 5280.  Violating provisions of 5280 would be perfectly acceptable
under this approach.  But, it would be good to include the justification.
This simply puts it on record how this particular community is using 5280.


Stephen suggested that we wait until we have gained some experience with the
non-critical setting of the nameContraints criticality flag, as it seems
entirely possible that we'll run into some unanticipated issues.


Sean and Stephen further suggested that (in the longer term) we consider
forming a working group within the Operations and Management Area of IETF.
This is the vehicle used to record how practitioners are ACTUALLY using IETF
specifications.  Sometimes their documents strictly profile RFCs and
sometimes they record non-conformant practices.


Maybe this would duplicate some parts of our existing process for
documenting requirements.  But, it is surely worth considering.


All this (of course) depends on the outcome of Ballot 75.


All the best.  Tim.


T: +1 613 270 3183


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120601/91b450e3/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4276 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120601/91b450e3/attachment-0002.p7s>

More information about the Public mailing list