[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Jeremy Rowley jeremy.rowley at digicert.com
Thu Aug 8 16:04:14 UTC 2013

Yes - I am officially withdrawing the ballot pending further consideration.

I'm not sure how to overcome these obstacles since:
1) PIV-I in the US space requires the anyEKU
2) Qualified Certs may require no EKU
3) Certificates without an EKU or the anyEKU may be used as SSL certificates
4) All SSL certificates should be covered by the BRs
5) Qualified and PIV-I Certs cannot be covered by the BRs since they lack a FQDN
6) SSL Certificates without an FQDN are considered local host and explicitly covered by the BRs

I think the best option might be to simply acknowledge the inconsistency and change the definition as follows:

"All root certificates included in a browser's trust store, all subordinate CA certificates signed by one of these root certificates, and all end-entity certificates that either lack any Extended Key Usage extension or contain an Extended Key Usage extension that contain (i) either an Internal Server Name or a FQDN and (ii) one of the following:
- Server Authentication (
- anyExtendedKeyUsage (
- Netscape Server Gated Cryptography (2.16.840.1.113730.4.1)
- Microsoft Server Gated Cryptography ( are expressly covered by these requirements."


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, August 08, 2013 9:20 AM
To: jeremy.rowley at digicert.com
Cc: 'CABFPub'
Subject: Re: [cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

On 02/08/13 12:19, Jeremy Rowley wrote:
> There is a potential conflict that I think needs more data and discussion:

We agree; hence Mozilla votes NO on the ballot in its current form.

We would like to see it withdrawn until further information can be gathered. We very much support the goal of this ballot; we want the BRs to cover all certs capable of being used by SSL servers. But we need to figure out whether this requires a change in the definition of what the BRs cover, or a change (e.g. on clients) in the definition of "capable of being used by SSL servers". Or something else.


More information about the Public mailing list