[cabfpub] Preballot for IPv6 Support
Rick Andrews
Rick_Andrews at symantec.com
Thu Feb 19 19:25:46 UTC 2015
Ryan,
It seems to me we need to add one more detail: it must be possible to make the lookups to the authoritative resolver (DNS) over IPv4 and IPv6. A client running on an IPv6-only network will first make a DNS call to get the AAAA record for the CA's OCSP or CRL service. So the CA needs to make sure that those DNS lookups can be served via IPv6.
-Rick
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
Sent: Thursday, February 19, 2015 8:54 AM
To: CABFPub
Subject: Re: [cabfpub] Preballot for IPv6 Support
Ryan,
We didn't find any blockers that prevent GoDaddy from enabling support for IPv6. Like other CAs, we also don't see any demand for it today, but I agree that this is a collective action problem and CAs need to remove certificate validation from the list of problems that are blocking other parties from moving to IPv6. GoDaddy supports this ballot and I would be happy to endorse.
Thanks,
Wayne
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Wednesday, February 18, 2015 3:01 PM
To: CABFPub
Subject: Re: [cabfpub] Preballot for IPv6 Support
In advance of tomorrow's call, I'd like to bring forward this pre-ballot again
---MOTION BEGINS---
Update Section 13.2.1 of the Baseline Requirements as follows:
From:
"The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with Appendix B."
To:
"The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with Appendix B.
Effective March 1, 2016, the CA SHALL make this information available via both IPv4 and IPv6. For each DNS host included in accordance with Appendix B, lookups to the authoritative resolver MUST return valid A records if A records are requested and valid AAAA records if AAAA records are requested."
Update Appendix B, Section 2(b) of the Baseline Requirements as follows:
From:
"This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL of the CA’s CRL service."
To:
"This extension MUST be present and MUST NOT be marked critical. It MUST contain the HTTP URL of the CA’s CRL service. See Section 13.2.1 for details."
---MOTION ENDS---
The key changes from the previous pre-ballot are the wording changes suggested by Brian Smith, and attaching a concrete date - 1 year from now.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list