[cabfpub] Ballot 105 Technical Constraints for Subordinate Certificate Authorities yielding broader and safer PKI adoption.

Steve Roylance steve.roylance at globalsign.com
Thu Jul 18 07:40:23 UTC 2013 

Hi Kirk.

I did update the Wiki Ballot text correctly but failed to update the example
PDF.  Attached is the new one.

Steve



From:  "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com>
Date:  Wednesday, 17 July 2013 18:20
To:  "public at cabforum.org" <public at cabforum.org>
Subject:  Re: [cabfpub] Ballot 105 Technical Constraints for Subordinate
Certificate Authorities yielding broader and safer PKI adoption.

In reading Ballot 105, our technical team has a question about Section 9.7,
particularly this paragraph
 
If the Subordinate CA Certificate includes the id-kp-serverAuth extended key
usage, then the Subordinate CA MUST include the Name Constraints X.509v3
extension with constraints on dNSName, iPAddress and DirectoryName as
follows:- 

 

(a) For each dNSName in permittedSubtrees, the CA MUST confirm that the
Applicant has registered the dNSName or has been authorized by the domain
registrant to act on the registrant's behalf in line with the verification
practices of section 11.1

 

(b) For each iPAddress range in permittedSubtrees, the CA MUST confirm that
the Applicant has been assigned the iPAddress range or has been authorized
by the assigner to act on the assignee's behalf.

 

(c) For each DirectoryName in permittedSubtrees the CA MUST confirm the
Applicants and/or Subsidiary¹s Organizational name and location such that
end entity certificates issued from the subordinate CA will be in compliancy
with section 9.2.4 and 9.2.5.

 
The wording ³then the Subordinate CA MUST include the Name Constraints
X.509v3 extension² is not clear as to whether the constraints are applied to
the sub CA certificate or to an EE certificate the sub CA is going to issue.
Should it read ³then the Subordinate CA *certificate* MUST include the Name
Constraints X.509v3 extension ***² for clarity?  Is that the intention?
 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.
_______________________________________________ Public mailing list
Public at cabforum.org https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130718/9bf56aca/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot 105 ? Technical Constraints for Subordinate Certificate Authorities yeilding broader and safer PKI adoption - updated version.pdf
Type: application/pdf
Size: 292019 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130718/9bf56aca/attachment-0003.pdf>

More information about the Public mailing list