[cabfpub] Ballot[75] - NameConstraints criticality flag

Phillip Hallam-Baker philliph at comodo.com
Fri May 25 09:18:40 MST 2012


As a meta point, this might be an area where it was useful to tell the IETF 
PKIX WG that this vote is going on while it is going on.

The only pushback I saw on this issue was the usual crowd of DoD contractors 
who see no reason for PKIX to serve anything that is not a requirement for 
the DoD. Here we have a mechanism that can demonstrate that a community with 
at least equal authority in PKI expertise has considered the issue seriously 
and decided that the balance of concerns here favors a change.


-----Original Message----- 
From: Tim Moses
Sent: Friday, May 25, 2012 10:45 AM
To: CABFPub
Subject: [cabfpub] Ballot[75] - NameConstraints criticality flag

Kathleen Wilson made the following motion, and Steve Roylance and Adam 
Langley endorsed it.
________________________________________
Motion begins
________________________________________
Effective immediately
________________________________________
Erratum begins
________________________________________
Delete the following text from the "Subordinate CA Certificate" section of 
both the Baseline Requirements Appendix B and EV Guidelines Appendix B:

"All other fields and extensions MUST be set in accordance to RFC 5280."

AND replace it with the following:

"F. nameConstraints (optional)

. If present, this extension SHOULD be marked critical*.

All other fields and extensions MUST be set in accordance to RFC 5280.

* Non-critical Name Constraints are an exception to RFC 5280 that MAY be 
used until the Name Constraints extension is supported by Application 
Software Suppliers whose software is used by a substantial portion of 
Relying Parties worldwide."
________________________________________
Erratum ends
________________________________________
The ballot review period comes into effect at 21:00 UTC on May 25, 2012 and 
will close at 21:00 UTC on June 1, 2012. Unless the motion is withdrawn 
during the review period, the voting period will start immediately 
thereafter and will close at 21:00 UTC on June 8, 2012. Votes must be cast 
by "reply all" to this email.

A vote in favor of the motion must indicate a clear 'yes' in the response. A 
vote against must indicate a clear 'no' in the response. A vote to abstain 
must indicate a clear 'abstain' in the response. Unclear responses will not 
be counted. The latest vote received from any representative of a voting 
member before the close of the voting period will be counted.
________________________________________
Motion ends
________________________________________

Voting members are listed here:

http://www.cabforum.org/forum.html

with the addition of TrendMicro.

In order for the motion to be adopted, two thirds or more of the votes cast 
by members in the CA category and one half or more of the votes cast by 
members in the browser category must be in favour. Also, at least eight 
members must participate in the ballot, either by voting in favour, voting 
against or abstaining.


T: +1 613 270 3183

_______________________________________________
Public mailing list
Public at cabforum.org
http://cabforum.org/mailman/listinfo/public 



More information about the Public mailing list