[cabfpub] Updated language for Ballot 68

Jeremy Rowley jeremy.rowley at digicert.com
Wed Sep 26 12:25:11 MST 2012 

That is the language from the wiki.  However, there was discussion and
proposed amendments to part D.  Those changes were to part D of the ballot.

 

Jeremy

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Hill, Brad
Sent: Wednesday, September 26, 2012 1:21 PM
To: public at cabforum.org
Subject: [cabfpub] Updated language for Ballot 68

 

https://www.cabforum.org/wiki/68%20-%20No%20unknown%20contents#preview 

 

"Erratum begins .. 

 

A. In Section 10.2.3, after the first paragraph, insert: 

 

"The CA SHALL establish and follow a documented procedure for verifying all
data requested for inclusion in the Certificate by the Applicant." 

 

B. In Appendix B, add paragraph numbers to the headings: "(1) Root CA
Certificate", "(2) Subordinate CA Certificate", and "(3) Subscriber
Certificate". 

 

C. In three places in Appendix B, delete: "All other fields and extensions
MUST be set in accordance with RFC 5280." 

 

D. In Appendix B, insert paragraph 4, as follows 

 

(4) All Certificates 

 

All other fields and extensions MUST be set in accordance with RFC 5280. 

 

The CA SHALL NOT issue a Certificate that contains a keyUsage flag,
extendedKeyUsage value, Certificate extension, or other data not specified
in this Appendix B unless the CA is aware of a reason for including the data
in the Certificate. 

CAs SHALL NOT issue a Certificate with: 

 

b) Extensions that do not apply in the context of the public Internet (such
as an extendedKeyUsage value for a service that is only valid in the context
of a privately managed network), unless: 

 

i. such value falls within an OID arc for which the Applicant demonstrates
ownership; or 

 

ii. the Applicant can otherwise demonstrate the right to assert the data in
a public context; or 

 

c) semantics that cannot be verified by the CA (such as an extendedKeyUsage
value for a smart card, where the CA is not able to verify that the
corresponding Private Key is confined to such hardware due to remote
issuance). 

 

Erratum ends . 

 

Motion ends ."

 

Brad Hill

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120926/dac4053f/attachment.html

More information about the Public mailing list