[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Ryan Sleevi sleevi at google.com
Mon Jul 29 20:57:05 UTC 2013


They're still respected (for better or worse) by Apple, NSS, and Android.

Even if that changed tomorrow, the fact that a significant portion of the
deployed user base for those products may not upgrade immediately suggests
it would be wise to keep them in scope - especially given that even few
products implement Microsoft's EKU chaining behaviour for intermediates.
On Jul 29, 2013 1:52 PM, "Kelvin Yiu" <kelviny at exchange.microsoft.com>
wrote:

> I prefer to drop any mention of the MS or Netscape SGC OIDs. These OIDs
> have been obsolete for over a decade and have ceased to have any meaning on
> MS platforms since Windows 2000.
>
> Kelvin
>
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Ryan Sleevi
> Sent: Friday, July 26, 2013 12:35 PM
> To: jeremy rowley
> Cc: CABFPub
> Subject: Re: [cabfpub] Ballot 108: Clarifying the scope of the baseline
> requirements
>
> Jeremy,
>
> If I might suggest a slight modification to the wording, which still
> leaves things a little ambiguous. "All root and intermediate certificates
> included in a browser's trust store" - AIUI, none of the browsers are
> really accepting intermediates to the trust store at this point.
>
> This was a sticky point when working on Mozilla's wording on this policy
> to. Luckily, the terminology for "Root CA" and "Subordinate CA"
> may be sufficient here to help clarify.
>
> "All root certificates included in a browser's trust store, all
> subordinate CA certificates signed by one of these root certificates, and
> all end-entity certificates that either lack any Extended Key Usage
> extension or contain an Extended Key Usage extension that contains one of
> the following:
> - Server Authentication (1.3.6.1.5.5.7.3.1)
> - anyExtendedKeyUsage (2.5.29.37.0)
> - Netscape Server Gated Cryptography (2.16.840.1.113730.4.1)
> - Microsoft Server Gated Cryptography (1.3.6.1.4.1.311.10.3.3) are
> expressly covered by these requirements."
>
> Note that Appendix B, 3.F lists other values as SHOULD NOT. However, that
> presumably only applies when a certificate is 'in scope' of the BRs, hence
> the restatement of potential EKUs that are relevant.
>
>
>
> On Fri, Jul 26, 2013 at 12:22 PM, Jeremy Rowley <
> jeremy.rowley at digicert.com> wrote:
> > Hi everyone,
> >
> >
> >
> > As mentioned on the phone call last week, CAs have claimed exemption
> > from the BRs because the definition of a publicly-trusted SSL
> certificate is not
> > clear.   I would like to clarify the scope of the BRs to avoid confusion
> on
> > what particular certificate contents are necessary to require
> > compliance.  I am looking for on endorser (Stephen Davidson has already
> endorsed).
> >
> >
> >
> > The third paragraph of Section 1 of the baseline requirements is:
> >
> > "This version of the Requirements only addresses Certificates intended
> > to be used for authenticating servers  accessible through the
> > Internet. Similar requirements for code signing, S/MIME,
> > time-stamping, VoIP, IM, Web services, etc. may be covered in future
> versions."
> >
> >
> >
> > I'd like to replace the above text with the following:
> >
> > "This version of the Baseline Requirements addresses all root,
> > intermediate, and end entity certificates that can be used in
> > publicly-trusted SSL handshakes.  All root and intermediate
> > certificates included in a browser's trust store and all end entity
> > certificates containing an extended key usage extension of Server
> > Authentication (1.3.6.1.5.5.7.3.1) are expressly covered by these
> > requirements. Similar requirements for code signing, S/MIME,
> > time-stamping, VoIP, IM, Web services, etc. may be covered in future
> versions."
> >
> >
> >
> > I look forward to your comments.
> >
> >
> >
> > Jeremy
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> >
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130729/fca0639d/attachment-0003.html>


More information about the Public mailing list