[cabfpub] Ballot for limited exemption to RFC 5280 forCTimplementation

Rob Stradling rob.stradling at comodo.com
Thu Sep 18 06:44:04 MST 2014


On 18/09/14 11:14, Jeremy.Rowley wrote:
> Good points.  However, Appendix B(4) does say "all other /*fields*/ and
> extensions must be set in accordance with RFC 5280", making it broader
> than just extensions.

Yes, but the current problem with this sentence is that "fields and" is 
meaningless, given the current scope and title.  But we can leave this 
sentence unchanged if we fix the scope and title.

> Since titles are not necessarily considered
> restrictive on the scope of the guideline, an update to this sentence is
> a good idea.  I do realize that the scope says "This appendix specifies
> the requirements for Certificate extensions" so there is a conflict
> between the scope, the title, and the actual wording.

Indeed.

> Jeremy
>
> On 9/18/2014 3:52 AM, Rob Stradling wrote:
>> On 18/09/14 03:01,kirk_hall at trendmicro.com  wrote:
>> <snip>
>>> Proposed amendments to Baseline Requirements.
>>>
>>> New language is shown in */_bold , italics, and underlined._/*
>>>
>>> 1. Amend the Definitions as follows:
>>>
>>> Valid Certificate:**A Certificate that passes the validation procedure
>>> specified in RFC 5280 */_(except for the limited exemption provided in
>>> Appendix B)._/*
>> Kirk, this proposed change to the "Valid Certificate" definition makes
>> no sense to me at all.
>>
>> I interpret "validation procedure specified in RFC 5280" to mean RFC5280
>> Section 6 (entitled "Certification Path Validation"), which has
>> absolutely nothing to say about duplicate serial numbers.
>> (The prohibition on duplicate serial numbers is in RFC5280 Section 4.1.2.2).
>>
>> I think the "Valid Certificate" definition is intended to include all
>> certs that browsers accept, regardless of whether or not they've been
>> issued in full compliance with the BRs.  (That's arguably an unfortunate
>> use of the word "Valid", but nonetheless I think this is the intent).
>>
>>> 2. Amend Appendix B as follows:
>>>
>>> Appendix B – Certificate Extensions (Normative/)_;*Limited Exemption
>>> from Compliance with RFC 5280*_/**
>> Again, this makes no sense.  The serial number field is not a
>> certificate extension.
>>
>> IMHO, the BRs, as written, don't actually incorporate the RFC5280
>> Section 4.1.2.2 rule prohibiting duplicate serial numbers.
>>
>> We could fix this by changing the title of Appendix B to "Certificate
>> Fields and Extensions", but until we do that, your proposed limited
>> exemption is a no-op.
>>
>> <snip>
>>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.


More information about the Public mailing list