[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Jeremy Rowley jeremy.rowley at digicert.com
Fri Jul 26 13:05:57 MST 2013 

Sounds good.  I'll circulate a formal ballot with Ryan's modifications.

Thanks,
Jeremy

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Geoff Keating
Sent: Friday, July 26, 2013 1:37 PM
To: Ryan Sleevi
Cc: CABFPub
Subject: Re: [cabfpub] Ballot 108: Clarifying the scope of the baseline
requirements

I would endorse the proposal with Ryan's improved wording.

On 26/07/2013, at 12:34 PM, Ryan Sleevi <sleevi at google.com> wrote:

> Jeremy,
> 
> If I might suggest a slight modification to the wording, which still 
> leaves things a little ambiguous. "All root and intermediate 
> certificates included in a browser's trust store" - AIUI, none of the 
> browsers are really accepting intermediates to the trust store at this 
> point.
> 
> This was a sticky point when working on Mozilla's wording on this 
> policy to. Luckily, the terminology for "Root CA" and "Subordinate CA"
> may be sufficient here to help clarify.
> 
> "All root certificates included in a browser's trust store, all 
> subordinate CA certificates signed by one of these root certificates, 
> and all end-entity certificates that either lack any Extended Key 
> Usage extension or contain an Extended Key Usage extension that 
> contains one of the following:
> - Server Authentication (1.3.6.1.5.5.7.3.1)
> - anyExtendedKeyUsage (2.5.29.37.0)
> - Netscape Server Gated Cryptography (2.16.840.1.113730.4.1)
> - Microsoft Server Gated Cryptography (1.3.6.1.4.1.311.10.3.3) are 
> expressly covered by these requirements."
> 
> Note that Appendix B, 3.F lists other values as SHOULD NOT. However, 
> that presumably only applies when a certificate is 'in scope' of the 
> BRs, hence the restatement of potential EKUs that are relevant.
> 
> 
> 
> On Fri, Jul 26, 2013 at 12:22 PM, Jeremy Rowley 
> <jeremy.rowley at digicert.com> wrote:
>> Hi everyone,
>> 
>> 
>> 
>> As mentioned on the phone call last week, CAs have claimed exemption 
>> from the BRs because the definition of a publicly-trusted SSL certificate
is not
>> clear.   I would like to clarify the scope of the BRs to avoid confusion
on
>> what particular certificate contents are necessary to require 
>> compliance.  I am looking for on endorser (Stephen Davidson has already
endorsed).
>> 
>> 
>> 
>> The third paragraph of Section 1 of the baseline requirements is:
>> 
>> "This version of the Requirements only addresses Certificates 
>> intended to be used for authenticating servers  accessible through 
>> the Internet. Similar requirements for code signing, S/MIME, 
>> time-stamping, VoIP, IM, Web services, etc. may be covered in future
versions."
>> 
>> 
>> 
>> I'd like to replace the above text with the following:
>> 
>> "This version of the Baseline Requirements addresses all root, 
>> intermediate, and end entity certificates that can be used in 
>> publicly-trusted SSL handshakes.  All root and intermediate 
>> certificates included in a browser's trust store and all end entity 
>> certificates containing an extended key usage extension of Server 
>> Authentication (1.3.6.1.5.5.7.3.1) are expressly covered by these 
>> requirements. Similar requirements for code signing, S/MIME, 
>> time-stamping, VoIP, IM, Web services, etc. may be covered in future
versions."
>> 
>> 
>> 
>> I look forward to your comments.
>> 
>> 
>> 
>> Jeremy
>> 
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list