[cabfpub] BR Issue 7

Rob Stradling rob.stradling at comodo.com
Tue Nov 6 09:08:12 MST 2012


On 06/11/12 11:15, Ben Wilson wrote:
 > Yngve previously made a motion to make modifications to Appendix B of
 > the Baseline Requirements, as indicated by the attached.  It has been
 > endorsed by  Wen-Cheng of Chunghwa.  Is there another endorser?

I (or Robin) would be happy to endorse a motion that just seeks to remove:
   - "With the exception of stapling, which is noted below,"
   - "The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted, 
provided that the Subscriber “staples” the OCSP response for the 
Certificate in its TLS handshakes [RFC4366]."

This exception is currently present in the BRs because Comodo asked for 
it.  However, we've not made use of it yet and it's looking very 
unlikely that we would ever need to use it.  IIRC, our primary concern 
was the potential OCSP traffic from TLS clients that don't support OCSP 
Stapling (i.e. Firefox!) visiting very busy websites that do support 
OCSP Stapling.  However, I'm optimistic that Firefox will gain support 
for OCSP Stapling soon.

However, I'm afraid we can't accept the AIA->caIssuers changes in 
Yngve's motion for the following reasons:

1. As written...
"Subordinate CA Certificate...authorityInfoAccess...MUST contain...the 
HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can 
be downloaded"
...Yngve's motion outlaws Subordinate CA Certificates issued directly by 
Root Certificates which have not been cross-certified!
IMHO...
i. issuance of such Subordinate CA Certificates should be permitted!
and
ii. such Subordinate CA Certificates should omit AIA->caIssuers.

2. "it MUST contain" is unnecessarily restrictive.  I'm interpreting "it 
MUST contain" to mean "it MUST contain precisely <this> and nothing else".
Comodo often includes >1 caIssuers HTTP URLs, but my interpretation of 
this motion is that it requires us to include precisely 1 HTTP URL.

3. We simply don't think that CAs should be forced to include caIssuers 
URLs if they don't want to include them.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list