[cabfpub] BR Issue 7
Rob Stradling
rob.stradling at comodo.com
Tue Nov 6 09:08:12 MST 2012
On 06/11/12 11:15, Ben Wilson wrote:
> Yngve previously made a motion to make modifications to Appendix B of
> the Baseline Requirements, as indicated by the attached. It has been
> endorsed by Wen-Cheng of Chunghwa. Is there another endorser?
I (or Robin) would be happy to endorse a motion that just seeks to remove:
- "With the exception of stapling, which is noted below,"
- "The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted,
provided that the Subscriber “staples” the OCSP response for the
Certificate in its TLS handshakes [RFC4366]."
This exception is currently present in the BRs because Comodo asked for
it. However, we've not made use of it yet and it's looking very
unlikely that we would ever need to use it. IIRC, our primary concern
was the potential OCSP traffic from TLS clients that don't support OCSP
Stapling (i.e. Firefox!) visiting very busy websites that do support
OCSP Stapling. However, I'm optimistic that Firefox will gain support
for OCSP Stapling soon.
However, I'm afraid we can't accept the AIA->caIssuers changes in
Yngve's motion for the following reasons:
1. As written...
"Subordinate CA Certificate...authorityInfoAccess...MUST contain...the
HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can
be downloaded"
...Yngve's motion outlaws Subordinate CA Certificates issued directly by
Root Certificates which have not been cross-certified!
IMHO...
i. issuance of such Subordinate CA Certificates should be permitted!
and
ii. such Subordinate CA Certificates should omit AIA->caIssuers.
2. "it MUST contain" is unnecessarily restrictive. I'm interpreting "it
MUST contain" to mean "it MUST contain precisely <this> and nothing else".
Comodo often includes >1 caIssuers HTTP URLs, but my interpretation of
this motion is that it requires us to include precisely 1 HTTP URL.
3. We simply don't think that CAs should be forced to include caIssuers
URLs if they don't want to include them.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list