[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

Ben Wilson ben.wilson at digicert.com
Thu Sep 18 03:15:55 MST 2014 

Rob,
What if the ballot proposed a change to the title of Appendix B as you suggest, and also made it clear that, irrespective of RFC 5280's section 4.1.2.2 prohibition of duplicate serial numbers, for purposes of implementing Certificate Transparency (CT) pre-certificates, such practice is deemed "allowed"?
Ben 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
Sent: September 18, 2014 3:53 AM
To: kirk_hall at trendmicro.com; CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation

On 18/09/14 03:01, kirk_hall at trendmicro.com wrote:
<snip>
> Proposed amendments to Baseline Requirements.
>
> New language is shown in */_bold , italics, and underlined._/*
>
> 1. Amend the Definitions as follows:
>
> Valid Certificate:**A Certificate that passes the validation procedure 
> specified in RFC 5280 */_(except for the limited exemption provided in 
> Appendix B)._/*

Kirk, this proposed change to the "Valid Certificate" definition makes no sense to me at all.

I interpret "validation procedure specified in RFC 5280" to mean RFC5280 Section 6 (entitled "Certification Path Validation"), which has absolutely nothing to say about duplicate serial numbers.
(The prohibition on duplicate serial numbers is in RFC5280 Section 4.1.2.2).

I think the "Valid Certificate" definition is intended to include all certs that browsers accept, regardless of whether or not they've been issued in full compliance with the BRs.  (That's arguably an unfortunate use of the word "Valid", but nonetheless I think this is the intent).

> 2. Amend Appendix B as follows:
>
> Appendix B - Certificate Extensions (Normative/)_;*Limited Exemption 
> from Compliance with RFC 5280*_/**

Again, this makes no sense.  The serial number field is not a certificate extension.

IMHO, the BRs, as written, don't actually incorporate the RFC5280 Section 4.1.2.2 rule prohibiting duplicate serial numbers.

We could fix this by changing the title of Appendix B to "Certificate Fields and Extensions", but until we do that, your proposed limited exemption is a no-op.

<snip>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list