[cabfpub] Ballot 92 - Subject Alternative Names - Deletion of section 9.2.2 - The ballot continues

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Nov 22 14:35:14 MST 2012


StartCom votes YES

On 11/20/2012 05:11 PM, From Steve Roylance:
> Dear all.
>
> After consideration of whether the ballot stands or falls based on the 
> additional text proposed for the Common Name section, myself and the 
> endorsers have agreed to remove the changes proposed for Section 9.2.2.
>
> For clarity the change is shown in the e-mail below and the Wiki has 
> been updated to show the final text 
> https://www.cabforum.org/wiki/92%20-%20Subject%20Alternative%20Names
>
> Note that balloting rules both past and proposed allow for the 
> deletion of text without having to re-start.
>
> I thank everyone for their comments so far and hope we've struck an 
> accord that will benefit the industry as a whole in the months/years 
> to come.
>
> Kind Regards
>
> Steve
>
> From: Steve Roylance <steve.roylance at globalsign.com 
> <mailto:steve.roylance at globalsign.com>>
> Date: Thursday, 15 November 2012 17:27
> To: <public at cabforum.org <mailto:public at cabforum.org>>, CABForum 
> Management <management at cabforum.org <mailto:management at cabforum.org>>
> Subject: Ballot 92 - Subject Alternative Names
>
> https://www.cabforum.org/wiki/92%20-%20Subject%20Alternative%20Names
>
> Steve Roylance of GlobalSign made the following motion and Yngve 
> Pettersen of Opera and Jeremy Rowley of Digicert have endorsed it:
>
> ... Motion begins...
>
> Effective on the 1st July 2013
>
> ... Erratum begins ...
>
> The following sections will be amended in the Baseline Requirements 
> document.
>
> *INSERT* in Section 4. Definitions the following:
>
> Public IP Address: An IP Address that is not a Reserved IP Address.
>
> *REPLACE* Section 9.2.1 (Subject Alternative Name Extension) with the 
> following:
>
> 9.2.1 Subject Alternative Name Extension
>
> Certificate Field: extensions:subjectAltName
>
> Required/Optional: Required
>
> Contents: This extension MUST contain at least one entry that is 
> either a Fully-Qualified Domain Name or Public IP Address. Each 
> subjectAltName entry MUST either be a Domain Name or an IP Address. 
> The CA MUST confirm the Applicant’s control of each dNSName or Public 
> IP Address entry in accordance with Section 11.1.
>
> SubjectAltName entries MAY include domain Names containing wildcard 
> characters.
>
> If the subjectAltName is:
>
> 1) a Public IP Address,
>
> 2) a Registered Domain Name that has a Domain Name Registrant 
> different than (and not an Affiliate of) the Domain Name Registrant of 
> any other Registered Domain Name in the subjectAltName extension in 
> the Certificate, or
>
> 3) a Reserved IP Address or Internal Server Name.
>
> then the CA MUST verify the identity of an entity that controls the 
> private key in accordance with Section 11.2 and include the Subject 
> Identity Information in the issued Certificate in accordance with 
> 9.2.4. The CA MAY include explanatory information in the Subject 
> Organizational Unit field or a non-subject certificate field to 
> clarify the Subject Identity Information included in the Certificate.
>
> Prior to issuing a Certificate containing an Internal Server Name or 
> Reserved IP Address, the CA SHALL notify the Applicant that the use of 
> such Certificates has been deprecated by the CA / Browser Forum and 
> that the practice will be eliminated by October 2016. As of the 
> Effective Date, the CA SHALL NOT issue a certificate with an Expiry 
> Date later than 1 November 2015 if the subjectAlternativeName contains 
> a Reserved IP Address or Internal Server Name. Effective 1 October 
> 2016, CAs SHALL revoke all unexpired Certificates whose 
> subjectAlternativeName extension or Subject commonName field contains 
> a Reserved IP Address or Internal Server Name.
>
> *REPLACE* Section 9.2.2 (Subject Common Name Field) with the following:
>
> 9.2.2 Subject Common Name Field
>
> Certificate Field: subject:commonName (OID 2.5.4.3)
>
> Required/Optional: Deprecated (Discouraged, but not prohibited)
>
> Contents: If present, this field MUST contain a single Public IP 
> address or single Fully-Qualified Domain Name that is one of the 
> values contained in the Certificate’s subjectAltName extension (see 
> Section 9.2.1). Reserved IP Addresses and Internal Server Names are 
> prohibited.
>
> *REPLACE* Section 10.2.3 (Information Requirements) with the following:
>
> 10.2.3 Information Requirements
>
> The certificate request MAY include all factual information about the 
> Applicant to be included in the Certificate, and such additional 
> information as is necessary for the CA to obtain from the Applicant in 
> order to comply with these Requirements and the CA’s Certificate 
> Policy and/or Certification Practice Statement. In cases where the 
> certificate request does not contain all the necessary information 
> about the Applicant, the CA SHALL obtain the remaining information 
> from the Applicant or, having obtained it from a reliable, 
> independent, third-party data source, confirm it with the Applicant.
>
> Applicant information MUST include, but not be limited to, at least 
> one Subject Alternative Name as defined in Section 9.2.1.
>
> *INSERT* in Section 11.1 (Authorization by Domain Name Registrant) the 
> following two new sections:
>
> 11.1.3 Wildcard Domain Validation
>
> Before issuing a certificate with a wildcard character (*) in a CN or 
> subjectAltName of type DNS-ID, the CA MUST establish and follow a 
> documented procedure† that determines if the wildcard character occurs 
> in the first label position to the left of a “registry-controlled” 
> label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 
> Section 8.2 for further explanation). If a wildcard would fall within 
> the label immediately to the left of a registry-controlled† or public 
> suffix, CAs SHALL refuse issuance unless the applicant proves its 
> rightful control of the entire Domain Namespace. (e.g. CAs SHALL NOT 
> issue “*.co.uk”, but MAY issue “*.example.co.uk” to Example Ltd.)
>
> †Determination of what is “registry-controlled” versus the 
> registerable portion of a Country Code Top-Level Domain Namespace is 
> not standardized at the time of writing and is not a property of the 
> DNS itself. Current best practice is to consult a “public suffix list” 
> such as http://publicsuffix.org/. If the process for making this 
> determination is standardized by an RFC, then such a procedure SHOULD 
> be preferred.
>
> ... Erratum ends ...
>
> The review period for this ballot shall commence at 21:00 UTC on 15 
> November 2012 and will close at 21:00 UTC on 22 November 2012. Unless 
> the motion is withdrawn during the review period, the voting period 
> will start immediately thereafter and will close at 21:00 UTC on 29 
> November 2012. Votes must be cast by posting an on-list reply to this 
> thread.
>
> ... Motions ends ...
>
> A vote in favor of the motion must indicate a clear 'yes' in the response.
>
> A vote against must indicate a clear 'no' in the response. A vote to 
> abstain must indicate a clear 'abstain' in the response. Unclear 
> responses will not be counted. The latest vote received from any 
> representative of a voting member before the close of the voting 
> period will be counted.
>
> Voting members are listed here: http://www.cabforum.org/forum.html
>
> In order for the motion to be adopted, two thirds or more of the votes 
> cast by members in the CA category and one half or more of the votes 
> cast by members in the browser category must be in favor. Also, at 
> least six members must participate in the ballot, either by voting in 
> favor, voting against or abstaining.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20121122/83b00f9a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : http://cabforum.org/pipermail/public/attachments/20121122/83b00f9a/attachment-0001.bin 


More information about the Public mailing list