[cabfpub] Updated language for Ballot 68

Hill, Brad bhill at paypal-inc.com
Wed Sep 26 12:40:42 MST 2012 

I updated the wiki, too.  The change adopts Geoff K's suggested language:

"unless the CA is aware of a reason for including the data in the Certificate."

And removes the previous statement about "unknown semantics".

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Wednesday, September 26, 2012 3:25 PM
To: Hill, Brad; public at cabforum.org
Subject: RE: [cabfpub] Updated language for Ballot 68

That is the language from the wiki.  However, there was discussion and proposed amendments to part D.  Those changes were to part D of the ballot.

Jeremy

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org]<mailto:[mailto:public-bounces at cabforum.org]> On Behalf Of Hill, Brad
Sent: Wednesday, September 26, 2012 1:21 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Updated language for Ballot 68

https://www.cabforum.org/wiki/68%20-%20No%20unknown%20contents#preview

"Erratum begins ....

A. In Section 10.2.3, after the first paragraph, insert:

"The CA SHALL establish and follow a documented procedure for verifying all data requested for inclusion in the Certificate by the Applicant."

B. In Appendix B, add paragraph numbers to the headings: "(1) Root CA Certificate", "(2) Subordinate CA Certificate", and "(3) Subscriber Certificate".

C. In three places in Appendix B, delete: "All other fields and extensions MUST be set in accordance with RFC 5280."

D. In Appendix B, insert paragraph 4, as follows

(4) All Certificates

All other fields and extensions MUST be set in accordance with RFC 5280.

The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extendedKeyUsage value, Certificate extension, or other data not specified in this Appendix B unless the CA is aware of a reason for including the data in the Certificate.
CAs SHALL NOT issue a Certificate with:

b) Extensions that do not apply in the context of the public Internet (such as an extendedKeyUsage value for a service that is only valid in the context of a privately managed network), unless:

i. such value falls within an OID arc for which the Applicant demonstrates ownership; or

ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or

c) semantics that cannot be verified by the CA (such as an extendedKeyUsage value for a smart card, where the CA is not able to verify that the corresponding Private Key is confined to such hardware due to remote issuance).

Erratum ends ...

Motion ends ..."

Brad Hill

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120926/c3b3b05a/attachment.html

More information about the Public mailing list