[cabfpub] [cabfquest] Fwd: Question on "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0"

Ben Wilson ben at digicert.com
Mon Oct 1 15:04:03 UTC 2012


Dear Mr. Fung,
Thank you for your comment/question about the scope of the Baseline
Requirements and the intent of the phrase "Certificates intended to be used
for authenticating servers accessible through the Internet."  We are
considering removing "accessible through the Internet" in future versions.
Rather, the distinction we intended was whether the certificate chained to a
trust anchor widely distributed client software.  Therefore, the scope is
not intended to be limited by representations that a server will not be
accessible on the public internet.
Sincerely yours,
Ben Wilson

-----Original Message-----
From: questions-bounces at cabforum.org [mailto:questions-bounces at cabforum.org]
On Behalf Of Joseph Fung
Sent: Tuesday, September 25, 2012 3:05 AM
To: questions at cabforum.org
Subject: [cabfquest] Fwd: Question on "Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates, v.1.0"

Dear CAB forum,

Should I rephrase my question in my last mail below, I would like to know,
if the certificate applicant (such as the Government) can ensure that the
server can only be accessed by Intranet but not Internet, then the CA can
issue certificate with "Internal Server Name" without breaking the baseline,
or simply out of the scope of the baseline document ?

Regards
Joseph Fung


---------- Forwarded message ----------
From: Joseph Fung <josfung at gmail.com>
Date: 2012/9/25
Subject: Question on "Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.0"
To: questions at cabforum.org


Dear CAB forum,

In the document "Baseline Requirements for the Issuance and Management of
Publicly-Trusted Certificates, v.1.0", under the Section Scope, there is a
line :

"This version of the Requirements only addresses Certificates intended to be
used for authenticating servers accessible through the Internet."

So it implies only servers, with certificate, that can be accessible through
Internet (i.e. not intranet ? ) is concerned in this document.

But in the Section 9.2.1, it mentioned the deprecation of Certificate with
"Internal Server Name", it seems to have a contradiction to the Scope, i.e.
"only address ....
through the Internet" as
obviously "Internal Server Name" cannot be accessed through Internet.

So I would like to know if a publicly trusted CA can or cannot issue
Certificate with "Internal Server Name" which can only be accessed in
Intranet instead of Internet ?

Thanks for your clarification first !

Joseph Fung
josfung at gmail.com
2012-09-25
_______________________________________________
Questions mailing list
Questions at cabforum.org
https://cabforum.org/mailman/listinfo/questions




More information about the Public mailing list