[cabfpub] Ballot for limited exemption to RFC 5280 for CTimplementation
Jeremy.Rowley
jeremy.rowley at digicert.com
Thu Sep 18 10:14:48 UTC 2014
Good points. However, Appendix B(4) does say "all other /*fields*/ and
extensions must be set in accordance with RFC 5280", making it broader
than just extensions. Since titles are not necessarily considered
restrictive on the scope of the guideline, an update to this sentence is
a good idea. I do realize that the scope says "This appendix specifies
the requirements for Certificate extensions" so there is a conflict
between the scope, the title, and the actual wording.
Jeremy
On 9/18/2014 3:52 AM, Rob Stradling wrote:
> On 18/09/14 03:01, kirk_hall at trendmicro.com wrote:
> <snip>
>> Proposed amendments to Baseline Requirements.
>>
>> New language is shown in */_bold , italics, and underlined._/*
>>
>> 1. Amend the Definitions as follows:
>>
>> Valid Certificate:**A Certificate that passes the validation procedure
>> specified in RFC 5280 */_(except for the limited exemption provided in
>> Appendix B)._/*
> Kirk, this proposed change to the "Valid Certificate" definition makes
> no sense to me at all.
>
> I interpret "validation procedure specified in RFC 5280" to mean RFC5280
> Section 6 (entitled "Certification Path Validation"), which has
> absolutely nothing to say about duplicate serial numbers.
> (The prohibition on duplicate serial numbers is in RFC5280 Section 4.1.2.2).
>
> I think the "Valid Certificate" definition is intended to include all
> certs that browsers accept, regardless of whether or not they've been
> issued in full compliance with the BRs. (That's arguably an unfortunate
> use of the word "Valid", but nonetheless I think this is the intent).
>
>> 2. Amend Appendix B as follows:
>>
>> Appendix B – Certificate Extensions (Normative/)_;*Limited Exemption
>> from Compliance with RFC 5280*_/**
> Again, this makes no sense. The serial number field is not a
> certificate extension.
>
> IMHO, the BRs, as written, don't actually incorporate the RFC5280
> Section 4.1.2.2 rule prohibiting duplicate serial numbers.
>
> We could fix this by changing the title of Appendix B to "Certificate
> Fields and Extensions", but until we do that, your proposed limited
> exemption is a no-op.
>
> <snip>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140918/137d3536/attachment-0003.html>
More information about the Public
mailing list