[cabfpub] Ballot 92 - Certificate examples to aid discussions.

Steve Roylance steve.roylance at globalsign.com
Fri Nov 2 17:07:56 UTC 2012

Dear all.

I'm not sure if the ZIP file will make it through to everyone.  (I assume
the XLS and 2 x PDFs will but let me know if not)

I've therefore placed the zip file to the Wiki for CABForum members.
If anyone else needs it please let me know.


From:  Steve Roylance <steve.roylance at globalsign.com>
Date:  Friday, 2 November 2012 16:04
To:  "CABFPub (public at cabforum.org)" <public at cabforum.org>
Subject:  Ballot 92 - Certificate examples to aid discussions.

Dear all.

It seems that many people were confused about the Intent of Ballot 92.

Even though Jeremy illustrated some examples during the discussions
(thanks!) and even though the ballot itself features examples, I felt that
it would be beneficial to all parties to come to an agreement on the scope
of the problem and therefore to provide an illustration of the alternative
mix of domains/IPs/Shortnames that we are trying to encompass.

Please see the attached XLS (and PDF version).

I've illustrated several different combinations of public/non public
domains.  In order to allow everyone to visualise (in their favourite
certificate viewer) just how things stand I've also provided certificates,
PKCS12's keys and requests.  These are in the ZIP file and are labelled as
per the XLS sheet so you should be able to quickly and easily identify a
specific combination of components you may be concerned about and obtain an
example.  i.e. DV 1-13, OV 1-10 and Controversial 1-4.

I've also provided a few screen shots in a 2nd PDF to highlight how the
Windows Certificate Viewer makes a 'best attempt' to display information to
relying parties.  i.e. When there is no CN it reverts to the next OU.    My
intention here is not to ballot how the browsers show certificates but to
indicate that both the browsers and CAs need to work together to improve the
situation for relying parties and I'm happy to try to move the CAs forward
first.  After all, it's the CAs who attest to the combination of the various
component parts of the certificate by signing it, so Browsers will never be
able to move forward whilst CAs don't have a solid baseline of when and when
not to include additional Subject DN Information.

The majority of the feedback I received last week seems to highlight that
mixed 'DV' domains are contentious hence the 1-4 in the sheet.  Some think
that it's fine to allow multiple owners to be bundled in to a single
certificate.  I do not think this is acceptable.   I'm sure that some of the
supporters of this motion will be able to add additional weight to the
argument in terms of private key control, however as I have always stated,
my focus is on what replying parties are able to see today and CAs can
certainly improve this.

Kind Regards


P.S. If you want a particular combination of components adding them please
let me know.  Additional SAN entries beyond 2 only complicate things further
and are effectively subsets of the examples created.  I didn't have the
chance to make CRLs etc so some browsers balk ­ We can address this over the
coming days/weeks prior to a resubmission of the ballot.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121102/ead618f5/attachment-0004.html>

More information about the Public mailing list