[cabfpub] Updated language for Ballot 68

Hill, Brad bhill at paypal-inc.com
Wed Sep 26 19:21:17 UTC 2012


"Erratum begins ....

A. In Section 10.2.3, after the first paragraph, insert:

"The CA SHALL establish and follow a documented procedure for verifying all data requested for inclusion in the Certificate by the Applicant."

B. In Appendix B, add paragraph numbers to the headings: "(1) Root CA Certificate", "(2) Subordinate CA Certificate", and "(3) Subscriber Certificate".

C. In three places in Appendix B, delete: "All other fields and extensions MUST be set in accordance with RFC 5280."

D. In Appendix B, insert paragraph 4, as follows

(4) All Certificates

All other fields and extensions MUST be set in accordance with RFC 5280.

The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extendedKeyUsage value, Certificate extension, or other data not specified in this Appendix B unless the CA is aware of a reason for including the data in the Certificate.
CAs SHALL NOT issue a Certificate with:

b) Extensions that do not apply in the context of the public Internet (such as an extendedKeyUsage value for a service that is only valid in the context of a privately managed network), unless:

i. such value falls within an OID arc for which the Applicant demonstrates ownership; or

ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or

c) semantics that cannot be verified by the CA (such as an extendedKeyUsage value for a smart card, where the CA is not able to verify that the corresponding Private Key is confined to such hardware due to remote issuance).

Erratum ends ...

Motion ends ..."

Brad Hill

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120926/c6dc40b2/attachment-0003.html>

More information about the Public mailing list