[cabfpub] Baseline Requirements Issues List
Ben Wilson
ben at digicert.com
Tue Jan 29 21:06:14 UTC 2013
All,
Here is an updated Baseline Requirements Issues list. I will put this on
the wiki, too.
Ben
#
Assigned
Section
Comment
Source
Recv'd
Status
Notes
1
Gerv Markham
14.2 Delegation of functions & compliance obligations
Better audit criteria are needed for sub CAs and RAs that are not operated
directly by the CA.
Several
Open item prior to v. 1.0
Need to review Mozilla's rules for Sub CAs and RAs, which will provide
guidance.
Issue 27 (All trusted entities must be audited) was merged into this Issue.
This should be re-assigned to someone outside of Mozilla.
4
Jeremy Rowley
16 Data Security
Issuance approvals should require an out-of-band confirmation step.
Several
Open item prior to v. 1.0
Need to discuss proposal to the right in "Notes"
Modify point 7 of 11.1.1 and point 4 of 11.1.2 to include stipulation that
"any other procedure" must be "out-of-bands" and define or use other
guidance for CAs and auditors.
7
Ben Wilson
B Certificate Extensions
AIA for OCSP must be present. OCSP Stapling is not an exception to AIA for
OCSP
Yngve
29 Sep 2011
Email circulated by Ben on 23-Jan-2013.
Appendix B Certificate Extensions
Proposal is to make OCSP MUST for End Entity Certificates.
14
Ryan Hurst
9 Certificate Content & Profiles
Consider making policy identifiers mandatory
Tim
29 Sep 2011
Suspended pending further discussion
See Ballot 69
<https://www.cabforum.org/wiki/Ballots>
https://www.cabforum.org/wiki/Ballots
15
Rick Andrews
(see notes)
9 Certificate Content & Profiles
Implications of RFC6125 (BR issue 16 has been merged into this for *.gTLD,)
Brad Hill
29 Sep 2011
Two issues emerged IDNs and gTLDs. These two issues were removed from
Ballot 92 and two new ballots are being reworked.
See: <https://www.cabforum.org/wiki/Section%209_2_1>
<https://www.cabforum.org/wiki/Section%209_2_1>
https://www.cabforum.org/wiki/Section%209_2_1
Brad Hill, Jeremy Rowley, Robin Alden, Steve Roylance, and Rick Andrews
should be collaborating on a ballot for gTLDs.
Rick Andrews is also working with Geoff Keating and Brad Hill on the IDN
issue / ballot.
18
Phill Hallam-Baker
11 Validation Practices
CAA records - RFC 6844
Phill
29 Sep 2011
Phill is working on a ballot.
RFC 6844 has been published.
24
Jeremy Rowley
B Certificate Extensions
Currently, any PKIX extension is permitted. Consider banning extensions
other than those explicitly allowed
Brad Hill
29 Sep 2011
Earlier proposal needs to be re-visited and updated.
Problem if certificate contains an uncommon parameter that hides data for
collision attack.
See Ballot 68 .
<https://www.cabforum.org/wiki/Ballots>
https://www.cabforum.org/wiki/Ballots
29.
Steve Roylance
9.2.1 Subject Alternative Name Extension
The first and third paragraphs are contradictory
Bruce Morton
Bruce Morton email 9 April 2012
Bruce's comment from 9-Apr-2012 needs to be reviewed to determine status.
Ballot 92 failed (but issue remains open until closed).
30.
Ryan Hurst
12.Certificate Issuance by a Root CA
OCSP Response verification Certificate unclear
Yngve
Ryan Hurst email 12 April 2012
Steve Roylance reviewing for ballot.
Change item 3 to read: "Certificates for infrastructure purposes (e.g.
administrative role certificates, internal CA operational device
certificates, and OCSP Responder Certificates);" motion and two endorsers
needed.
32.
Eddy Nigg
9.2.4 Subject Organization Name Field
Representation of DBA
Eddy Nigg
Email to Tim - 4 July 2012
To be worked on as part of BR - EV harmonization
Adopt the same convention for DBA as that of the EV standard.
33.
Dean Coclin
Title Pages
No single place to view effective dates
Yngve
General Private communication
Let's assign this to the Audit Working Group
We need a table in the front to guide CA's and auditors on deadlines and
effective dates that may be different from the document as a whole and tie
those into audit effective dates integration, etc. (maybe ordered by date?)
34.
Joe Kaluzny
Definition of FQDN
The term FQDN is used inconsistently. FQDN is used sometimes where it
should really say "registerable domain name / domain name space" or
"registered domain name / domain namespace" or
Wells Fargo
Private communication
17-Jan-2013
New item
FQDN is something that is in a routing table. A registerable domain name is
a namespace that can be registered under the auspices of ICANN.
35.
Joe Kaluzny
Sections 11.2.1
and 14.2.
Third party database language prevents Wells Fargo from using business
database to perform domain checks
Joe Kaluzny
Private communication
17-Jan-2013
New item - Joe is working on a draft ballot.
Acceptable methods of validating ownership of domain rights and confirming
identity of applicants who are corporate affiliates. This is related to
Closed BR Issue #17 ("Improve the definition of a suitable third-party
database").
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130129/1760d968/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BRv1.1IssuesListv.12.pdf
Type: application/pdf
Size: 20143 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130129/1760d968/attachment-0002.pdf>
More information about the Public
mailing list