[cabfpub] Must Staple and BR Issue 7

Ben Wilson ben at digicert.com
Sun Nov 4 15:32:54 MST 2012


If we were to revise Appendix B of the Baseline Requirements, as outlined in
the proposed ballot to address BR Issue #7 (relined version attached, but
not fully endorsed yet for vote), would it make sense to amend section F of
Subscriber Certificates (extKeyUsage) (which currently says, "Either the
value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both
values MUST be present.  id-kp-emailProtection [RFC5280] MAY be present") to
also say that, in addition emailProtection, the CABF extKeyUsage OID for
must-staple (2.23.140.16.1) MAY be present?  (Even if it had to be proposed
as its own separate ballot because it is not in direct response to the BR
Issue#7? Or is it substantially related enough?)  After reviewing this
attachment, are there any endorsers, or persons who would endorse if
modifications were made?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Adam Langley
Sent: Wednesday, October 03, 2012 1:15 PM
To: Carl Wallace
Cc: Paul Tiemann; public at cabforum.org
Subject: Re: [cabfpub] Fwd: Re: [cabfrev] Must Staple Draft

On Wed, Oct 3, 2012 at 3:10 PM, Carl Wallace <carl at redhoundsoftware.com>
wrote:
> Unless you put the mustStaple OID in each certificate in the chain, 
> this would be a significant change to the way certificate policies are 
> processed.

Right, thank you. I thought there was some reason why we didn't want to do
it in the certificate policies and that was it.

> A better existing
> place for a mustStaple OID would be EKU (i.e., only use this key when 
> it's accompanied by some stapled revocation data).

EKUs are processed in the same fashion. (Not in the PKIX standard, but in
CryptoAPI and, soon, NSS, at least.)


Cheers

AGL
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Version1.1redlinedwithIssue7.pdf
Type: application/pdf
Size: 24307 bytes
Desc: not available
Url : http://cabforum.org/pipermail/public/attachments/20121104/9fe5fe07/attachment-0001.pdf 


More information about the Public mailing list