[cabfpub] A few technical details about the case by TURKTRUST
Gervase Markham
gerv at mozilla.org
Tue Jan 8 05:13:33 MST 2013
On 07/01/13 21:45, Geoff Keating wrote:
> The current baseline requirements have this as a 'MAY', how do we
> feel about making this into a 'SHOULD'? That is, something like
>
> Appendix B – Certificate Extensions (Normative) Subordinate CA
> Certificate D. basicConstraints
>
> This extension MUST be present and MUST be marked critical. The cA
> field MUST be set true. The pathLenConstraint field MAYSHOULD be
> present. For Subordinate CAs which are used only to sign Subscriber
> Certificates, OCSP certificates or responses, and CRLs, it is
> RECOMMENDED that the pathLenConstraint field be present and set to
> zero.
Instead of changing the word you suggest, how about changing RECOMMENDED
to REQUIRED near the end? That last sentence has the important rider
"For Subordinate CAs which are used only to sign Subscriber
Certificates, OCSP certificates or responses, and CRLs...". We would not
want to require path length constraints on intermediates which may not
be designed to be the second-last cert in the chain.
I would be wary of supporting this change until we were sure there were
no accidental side-effects, but if we could get CA confirmation that
this was the case, I think it's a good safety net.
Gerv
More information about the Public
mailing list