[cabfpub] Ballot 148 - Issuer Field Correction

[N. Atilla Biler]

Hi Doug,

 

About Ballot 148, I had also shared another slight correction in my previous
message below.

 

As there will be no section 9.2.4 left after the changes, the reference
9.2.4.(g) should also be changed to 9.2.2.(g) in item 6 of your ballot.

 

These recursive reference changes may become really confusing.

 

Best regards,

 

Atilla

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of N. Atilla Biler
Sent: 13 Mart 2015 Cuma 11:00
To: 'Doug Beattie'; public at cabforum.org
Subject: Re: [cabfpub] Ballot 148 - Issuer Field Correction

 

Another slight correction will be updating section reference 9.2.4 (f) to
9.2.2.(g) below:

 

"6) Update section references 9.2.4 (f) to 9.2.4.(g) 9.2.2.(g) and 9.2.4 to
9.2.2 throughout document."

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Doug Beattie
Sent: 19 Mart 2015 Perşembe 17:35
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 148 - Issuer Field Correction

 

Just a reminder that the review period for this ballot ends today (2200 UTC
on 19 Mar 2015.) and the voting period starts immediately thereafter.  

 

We've received some editorial comments (section numbers and references) so
we'll proceed with the voting period.  Comments related to the business
logic and content of who controls the keys, who controls the CA, who's CPS
is used are interesting and need to be addressed, but they are outside the
scope of this "clean-up" ballot.

 

 

For clarity, here is the updated ballot with the included editorial updates:

 

Ballot 148 - Issuer Field Correction 

________________________________________

Reason 

________________________________________

The issuer field language in Section 9.1 of the Baseline Requirements
confuses two issues: 

1) the contents of the issuer field in an end entity cert and 

2) how to name root and intermediate CA certificates. 

 

To clarify the issue, and ensure proper name chaining, this ballot fixes the
issuer field requirements and, to clarify that commonName field is part of
the distinguished name, moves all of the Subject Distinguished Name Field
requirements under the proper section. The ballot also removes requirements
around the domainComponent field as the field is not used by current TLS
clients. A subsequent ballot will address naming of roots and intermediates
under current Section 9.2.5. 

 

Doug Beattie of GlobalSign made the following motion, which was endorsed by
Jeremy Rowley of DigiCert and Richard Wang of WoSign. 

________________________________________

Motion begins 

________________________________________

1) Replace Section 9.1 with the following: 

"9.1 Issuer Information 

The content of the Certificate Issuer Distinguished Name field MUST match
the Subject DN of the Issuing CA to support Name chaining as specified in
RFC 5280, section 4.1.2.4. Only in the event of a self-signed root will the
issuer and subject fields be identical." 

 

2) Move Section 9.2.2 to 9.2.4(a) and renumber the subsequent sections as
b-i. 

 

3) Delete Section 9.2.3. 

 

4) Renumber 9.2.4 as 9.2.2. 

 

5) In section 9.2, edit section reference "9.2.2" to "9.2.2 (a)"

 

6) Update section references 9.2.4 (f) to 9.2.4.(g) and 9.2.4 to 9.2.2
throughout document.

________________________________________

Motion Ends 

________________________________________

The review period for this ballot shall commence at 2200 UTC on 12 Mar 2015,
and will close at 2200 UTC on 19 Mar 2015. Unless the motion is withdrawn
during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on 26 Mar 2015. Votes must be cast by
posting an on-list reply to this thread. 

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: https://cabforum.org/members/ 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining.

 

From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Wednesday, March 11, 2015 7:28 PM
To: public at cabforum.org <mailto:public at cabforum.org> 
Subject: [cabfpub] Ballot 148 - Issuer Field Correction

 

Ballot 148 - Issuer Field Correction 

________________________________________

Reason 

________________________________________

The issuer field language in Section 9.1 of the Baseline Requirements
confuses two issues: 

1) the contents of the issuer field in an end entity cert and 

2) how to name root and intermediate CA certificates. 

 

To clarify the issue, and ensure proper name chaining, this ballot fixes the
issuer field requirements and, to clarify that commonName field is part of
the distinguished name, moves all of the Subject Distinguished Name Field
requirements under the proper section. The ballot also removes requirements
around the domainComponent field as the field is not used by current TLS
clients. A subsequent ballot will address naming of roots and intermediates
under current Section 9.2.5. 

 

Doug Beattie of GlobalSign made the following motion, which was endorsed by
Jeremy Rowley of DigiCert and Richard Wang of WoSign. 

________________________________________

Motion begins 

________________________________________

1) Replace Section 9.1 with the following: 

"9.1 Issuer Information 

The content of the Certificate Issuer Distinguished Name field MUST match
the Subject DN of the Issuing CA to support Name chaining as specified in
RFC 5280, section 4.1.2.4. Only in the event of a self-signed root will the
issuer and subject fields be identical." 

 

2) Move Section 9.2.2 to 9.2.4(a) and renumber the subsequent sections as
b-i. 

 

3) Delete Section 9.2.3. 

 

4) Renumber 9.2.4 as 9.2.2. 

________________________________________

Motion Ends 

________________________________________

The review period for this ballot shall commence at 2200 UTC on 12 Mar 2015,
and will close at 2200 UTC on 19 Mar 2015. Unless the motion is withdrawn
during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on 26 Mar 2015. Votes must be cast by
posting an on-list reply to this thread. 

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: https://cabforum.org/members/ 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining. 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150319/4b605e61/attachment-0003.html>