[cabfpub] Ballot 167 - Baseline Requirements Corrections

Peter Bowen pzb at amzn.com
Wed Apr 6 23:40:51 UTC 2016

> On Apr 6, 2016, at 3:17 PM, Ryan Sleevi <sleevi at google.com> wrote:
> On Wed, Apr 6, 2016 at 2:57 PM, Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>> wrote:
> Append " - Subscriber Certificates" to the the title of section
> Apologies for missing this during the first discussion, could you explain the motivation for this change? This seems to substantially change the obligations regarding the construction of subordinate CA certificates, and so it's helpful to understand the context.

This change is to address https://bugzilla.cabforum.org/show_bug.cgi?id=31 <https://bugzilla.cabforum.org/show_bug.cgi?id=31>, which is one of the bugs Gerv listed in the prior thread. is already "Subject Information – Subordinate CA Certificates”, so I was following the same heading format. says the subject alternative name extension is required and the "extension	MUST	contain	at	least	one	entry.	Each	entry	MUST	be	either	a	dNSName	containing	the	Fully‐Qualified	Domain	Name	or	an	iPAddress	containing	the	IP	address	of	a	server”.  Clearly this is incorrect for CA certificates. call out the requirement for validation of organizationName for CA certificates.  I admit that BR structure here is a little weird — very similar requirements are applied to different types of certificates in 7.1.2 and 7.1.4. It would probably be better to call out validation requirements in one place.  However that is starting to feel like its own ballot as it is going to take some careful thought on how to make it work correctly.

Would you prefer we drop the change to the heading on


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160406/b6cca23f/attachment-0003.html>

More information about the Public mailing list