[cabfpub] Baseline Requirements Issues List

Ben Wilson ben at digicert.com
Tue Jan 29 21:06:14 UTC 2013 

All,

Here is an updated Baseline Requirements Issues list.  I will put this on
the wiki, too. 

Ben

 


#

Assigned

Section

Comment

Source

Recv'd

Status

Notes


1

Gerv Markham

14.2 Delegation of functions & compliance obligations

Better audit criteria are needed for sub CAs and RAs that are not operated
directly by the CA.

Several

Open item prior to v. 1.0

Need to review Mozilla's rules for Sub CAs and RAs, which will provide
guidance.

Issue 27 (All trusted entities must be audited) was merged into this Issue.


 

This should be re-assigned to someone outside of Mozilla.


4

Jeremy Rowley

16 Data Security

Issuance approvals should require an out-of-band confirmation step.

Several

Open item prior to v. 1.0 

Need to discuss proposal to the right in "Notes"

Modify point 7 of 11.1.1 and point 4 of 11.1.2 to include stipulation that
"any other procedure" must be "out-of-bands" and define or use other
guidance for CAs and auditors.


7

Ben Wilson

B Certificate Extensions

AIA for OCSP must be present.  OCSP Stapling is not an exception to AIA for
OCSP 

Yngve

29 Sep 2011

Email circulated by Ben on 23-Jan-2013.

Appendix B Certificate Extensions

Proposal is to make OCSP MUST for End Entity Certificates.


14

Ryan Hurst

9 Certificate Content & Profiles

Consider making policy identifiers mandatory

Tim

29 Sep 2011

Suspended pending further discussion

See Ballot 69

 <https://www.cabforum.org/wiki/Ballots>
https://www.cabforum.org/wiki/Ballots


15

Rick Andrews

(see notes)

9 Certificate Content & Profiles

Implications of RFC6125 (BR issue 16 has been merged into this for *.gTLD,)

Brad Hill

29 Sep 2011

Two issues emerged IDNs and gTLDs.  These two issues were removed from
Ballot 92 and two new ballots are being reworked.

See: <https://www.cabforum.org/wiki/Section%209_2_1>
<https://www.cabforum.org/wiki/Section%209_2_1>
https://www.cabforum.org/wiki/Section%209_2_1

Brad Hill, Jeremy Rowley, Robin Alden, Steve Roylance, and Rick Andrews
should be collaborating on a ballot for gTLDs.

Rick Andrews is also working with Geoff Keating and Brad Hill on the IDN
issue / ballot.


18

Phill Hallam-Baker

11 Validation Practices

CAA records - RFC 6844

Phill

29 Sep 2011

Phill is working on a ballot.

RFC 6844 has been published.  


24

Jeremy Rowley

B Certificate Extensions

Currently, any PKIX extension is permitted.  Consider banning extensions
other than those explicitly allowed

Brad Hill 

29 Sep 2011

Earlier proposal needs to be re-visited and updated.

Problem if certificate contains an uncommon parameter that hides data for
collision attack. 

 

See Ballot 68 .

 <https://www.cabforum.org/wiki/Ballots>
https://www.cabforum.org/wiki/Ballots


29.   

Steve Roylance

9.2.1 Subject Alternative Name Extension

The first and third paragraphs are contradictory

Bruce Morton

Bruce Morton email 9 April 2012

Bruce's comment from 9-Apr-2012 needs to be reviewed to determine status.

Ballot 92 failed (but issue remains open until closed).  


30.   

Ryan Hurst

12.Certificate Issuance by a Root CA

OCSP Response verification Certificate unclear

Yngve 

Ryan Hurst email 12 April 2012

Steve Roylance reviewing for ballot.

 

Change item 3 to read: "Certificates for infrastructure purposes (e.g.
administrative role certificates, internal CA operational device
certificates, and OCSP Responder Certificates);" motion and two endorsers
needed.


32.

Eddy Nigg

9.2.4 Subject Organization Name Field

Representation of DBA

Eddy Nigg

Email to Tim - 4 July 2012

To be worked on as part of BR - EV harmonization

Adopt the same convention for DBA as that of the EV standard.  


33.

Dean Coclin

Title Pages

No single place to view effective dates

Yngve

General Private communication

Let's assign this to the Audit Working Group

We need a table in the front to guide CA's and auditors on deadlines and
effective dates that may be different from the document as a whole and tie
those into audit effective dates integration, etc. (maybe ordered by date?)



34.

Joe Kaluzny

Definition of FQDN

The term FQDN is used inconsistently.  FQDN is used sometimes where it
should really say "registerable domain name / domain name space" or
"registered domain name / domain namespace" or 

Wells Fargo

Private communication

17-Jan-2013

New item

FQDN is something that is in a routing table.  A registerable domain name is
a namespace that can be registered under the auspices of ICANN.  


35.

Joe Kaluzny

Sections 11.2.1

and 14.2.

Third party database language prevents Wells Fargo from using business
database to perform domain checks 

Joe Kaluzny

Private communication

17-Jan-2013

New item - Joe is working on a draft ballot.

Acceptable methods of validating ownership of domain rights and confirming
identity of applicants who are corporate affiliates.   This is related to
Closed BR Issue #17 ("Improve the definition of a suitable third-party
database").

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130129/1760d968/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BRv1.1IssuesListv.12.pdf
Type: application/pdf
Size: 20143 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130129/1760d968/attachment-0002.pdf>

More information about the Public mailing list