[cabfpub] Ballot 92 - Certificate examples to aid discussions.

Steve Roylance steve.roylance at globalsign.com
Fri Nov 2 16:04:44 UTC 2012


Dear all.

It seems that many people were confused about the Intent of Ballot 92.

Even though Jeremy illustrated some examples during the discussions
(thanks!) and even though the ballot itself features examples, I felt that
it would be beneficial to all parties to come to an agreement on the scope
of the problem and therefore to provide an illustration of the alternative
mix of domains/IPs/Shortnames that we are trying to encompass.

Please see the attached XLS (and PDF version).

I've illustrated several different combinations of public/non public
domains.  In order to allow everyone to visualise (in their favourite
certificate viewer) just how things stand I've also provided certificates,
PKCS12's keys and requests.  These are in the ZIP file and are labelled as
per the XLS sheet so you should be able to quickly and easily identify a
specific combination of components you may be concerned about and obtain an
example.  i.e. DV 1-13, OV 1-10 and Controversial 1-4.

I've also provided a few screen shots in a 2nd PDF to highlight how the
Windows Certificate Viewer makes a 'best attempt' to display information to
relying parties.  i.e. When there is no CN it reverts to the next OU.    My
intention here is not to ballot how the browsers show certificates but to
indicate that both the browsers and CAs need to work together to improve the
situation for relying parties and I'm happy to try to move the CAs forward
first.  After all, it's the CAs who attest to the combination of the various
component parts of the certificate by signing it, so Browsers will never be
able to move forward whilst CAs don't have a solid baseline of when and when
not to include additional Subject DN Information.

The majority of the feedback I received last week seems to highlight that
mixed 'DV' domains are contentious hence the 1-4 in the sheet.  Some think
that it's fine to allow multiple owners to be bundled in to a single
certificate.  I do not think this is acceptable.   I'm sure that some of the
supporters of this motion will be able to add additional weight to the
argument in terms of private key control, however as I have always stated,
my focus is on what replying parties are able to see today and CAs can
certainly improve this.

Kind Regards

Steve

P.S. If you want a particular combination of components adding them please
let me know.  Additional SAN entries beyond 2 only complicate things further
and are effectively subsets of the examples created.  I didn't have the
chance to make CRLs etc so some browsers balk ­ We can address this over the
coming days/weeks prior to a resubmission of the ballot.
 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121102/f8dbbc37/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot92 alternative content spreadsheet.xlsx
Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Size: 32016 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121102/f8dbbc37/attachment-0001.xlsx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot92 alternative content spreadsheet.pdf
Type: application/pdf
Size: 42968 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121102/f8dbbc37/attachment-0006.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CABForum Report by GlobalSign.pdf
Type: application/pdf
Size: 601806 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121102/f8dbbc37/attachment-0007.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CABForumBallot92.rename to zip
Type: application/octet-stream
Size: 354886 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121102/f8dbbc37/attachment-0003.obj>


More information about the Public mailing list