[cabfpub] Must Staple and BR Issue 7

Ben Wilson ben at digicert.com
Sun Nov 4 22:32:54 UTC 2012

If we were to revise Appendix B of the Baseline Requirements, as outlined in
the proposed ballot to address BR Issue #7 (relined version attached, but
not fully endorsed yet for vote), would it make sense to amend section F of
Subscriber Certificates (extKeyUsage) (which currently says, "Either the
value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both
values MUST be present.  id-kp-emailProtection [RFC5280] MAY be present") to
also say that, in addition emailProtection, the CABF extKeyUsage OID for
must-staple ( MAY be present?  (Even if it had to be proposed
as its own separate ballot because it is not in direct response to the BR
Issue#7? Or is it substantially related enough?)  After reviewing this
attachment, are there any endorsers, or persons who would endorse if
modifications were made?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Adam Langley
Sent: Wednesday, October 03, 2012 1:15 PM
To: Carl Wallace
Cc: Paul Tiemann; public at cabforum.org
Subject: Re: [cabfpub] Fwd: Re: [cabfrev] Must Staple Draft

On Wed, Oct 3, 2012 at 3:10 PM, Carl Wallace <carl at redhoundsoftware.com>
> Unless you put the mustStaple OID in each certificate in the chain, 
> this would be a significant change to the way certificate policies are 
> processed.

Right, thank you. I thought there was some reason why we didn't want to do
it in the certificate policies and that was it.

> A better existing
> place for a mustStaple OID would be EKU (i.e., only use this key when 
> it's accompanied by some stapled revocation data).

EKUs are processed in the same fashion. (Not in the PKIX standard, but in
CryptoAPI and, soon, NSS, at least.)


Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Version1.1redlinedwithIssue7.pdf
Type: application/pdf
Size: 24307 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121104/9fe5fe07/attachment-0003.pdf>

More information about the Public mailing list