[cabfpub] Ballot 167 - Baseline Requirements Corrections

Peter Bowen pzb at amzn.com
Fri Apr 15 19:35:28 UTC 2016


Jeremy,

There was a request from Moudrick to list on March 19:

  How about explicitly listing the standards (e.g. RFCs) whose requirements are "assumed mandatory”?

This proposed change was to address that item.  There is no intent to require anything new from this change — the BRs already specify RFC 5280 (see section 7.1.2.4 among many others) and the other RFCs simply specify the public key and signature algorithm identifiers for certificates.  I tried to ensure the RFCs listed are the minimal set to cover the allowed key types and signature algorithms specified in the BRs.

To your specific points, there is nothing in the RFCs listed that covers or restricts wildcards.  You are correct, this ballot does not add allowance for IP address in the dNSName in the SAN; this is already forbidden by the BRs (see section 7.1.4.2.1 "Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server.”  

I really don’t think there should be any effective change to the BRs by referencing these RFCs.

Thanks,
Peter

> On Apr 15, 2016, at 12:05 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> Correct. I think there will be others based on how browser software operates. For example, the wildcard issue Rick raised along with the IP Adress in SAN:DNS name that is required for Microsoft. 
> 
> -----Original Message-----
> From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com] 
> Sent: Friday, April 15, 2016 1:02 PM
> To: Jeremy Rowley; Peter Bowen; CABFPub
> Subject: RE: [cabfpub] Ballot 167 - Baseline Requirements Corrections
> 
> Jeremy - was this "revoked" instead of "good" Issue you referred to below the rule Opera requested (in part because of Diginotar, where the fact that the bad certs were not on a CRL resulted in a "good" response from the CA, even though the cert serial number was unknown to Diginotar so the cert could not have been "good")?  If yes, I don't think we should change that BR just to match an RFC.
> 
> Sorry, I’m slow on this one too.
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
> Sent: Friday, April 15, 2016 11:12 AM
> To: Peter Bowen; CABFPub
> Subject: Re: [cabfpub] Ballot 167 - Baseline Requirements Corrections
> 
> I should have commented earlier, but I think we have an issue with the following:
> In section 7, insert the following introduction paragraph:
> "All Certificates and Certificate Revocation Lists SHALL comply with RFC 5280 and RFC 6818.  They SHALL additionally comply with RFC3279, RFC4055, RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key Info and the Signature Algorithm present in the certificate."
> 
> There is at least one clear instance where the CAB Forum BRs aren't necessarily inline with these docs - ie returning "revoked" instead of "good". 
> 
> Therefore, DigiCert votes "No".
> 
> Jeremy
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
> Sent: Friday, April 15, 2016 9:59 AM
> To: CABFPub
> Subject: Re: [cabfpub] Ballot 167 - Baseline Requirements Corrections
> 
> Amazon votes YES.
> 
>> On Apr 7, 2016, at 5:56 PM, Peter Bowen <pzb at amzn.com> wrote:
>> 
>> <CA-Browser Forum BR 1.3.3-corrections.4.doc>
>> 
>> I have removed the heading change for section 7.1.4.2.  A redlined version of the BRs is attached for those wishing to review in that format.  With that:
>> 
>> Ballot 167 review period is starting.  Assuming no more changes and that the ISRG re-confirms endorsement, voting should start in one week.
>> 
>>> Ballot 167: Baseline Requirements Corrections
>>> 
>>> The following motion has been proposed by Peter Bowen of Amazon and endorsed by Dimitris Zacharopoulos of HARICA and Josh Aas of ISRG:
>>> 
>>> Background:
>>> 
>>> A number of small corrections and clarifications to the Baseline Requirements have been identified.  These are, in general, changes that reflect the existing understanding of the Baseline Requirements by the Forum.  Due to the understanding that these primarily represent existing practice, they are combined for efficiency.
>>> 
>>> -- MOTION BEGINS --
>>> 
>>> Effective the date of passage, the following modifications to the Baseline Requirements are adopted:
>>> 
>>> In Section 1.6.1:
>>> - In the definition of "Applicant Representative", replace "and 
>>> agrees to the Certificate Terms of Use" with "the Terms of Use" and 
>>> append "or is the CA" at the end of the definition;
>>> - In the definition of "Country", replace "sovereign nation" with 
>>> "Sovereign State";
>>> - In the definition of "Terms of Use", append "or is the CA" at the 
>>> end of the definition;
>>> 
>>> In Section 1.6.3:
>>> - Delete RFC2560;
>>> - Insert "RFC6960, Request for Comments: 6960, X.509 Internet Public 
>>> Key Infrastructure Online Certificate Status Protocol - OCSP. 
>>> Santesson, Myers, Ankney, Malpani, Galperin, Adams, June 2013.";
>>> - Delete X.509v3;
>>> - Insert "X.509, Recommendation ITU-T X.509 (10/2012) | ISO/IEC 9594-8:2014 (E), Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks." 
>>> 
>>> Move the content in section 3.3.1 to section 4.2.1 to become the third paragraph in 4.2.1 and leave section 3.3.1 blank.
>>> 
>>> In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960".
>>> 
>>> In section 5.2.2, insert "CA" immediately before "Private Key".
>>> 
>>> In section 6.1.2, append "without authorization by the Subscriber" to the end of the first sentence.
>>> 
>>> In section 6.1.6, update the last citation to read: "[Source: Sections 5.6.2.3.2 and 5.6.2.3.3, respectively, of NIST SP 56A: Revision 2]"
>>> 
>>> In section 6.2, in the second sentence, insert "CA" immediately before both instances of "Private Key".
>>> 
>>> In section 6.2.5, append "without authorization by the Subordinate CA" to the end of the sentence.
>>> 
>>> In section 7, insert the following introduction paragraph:
>>> "All Certificates and Certificate Revocation Lists SHALL comply with RFC 5280 and RFC 6818.  They SHALL additionally comply with RFC3279, RFC4055, RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key Info and the Signature Algorithm present in the certificate."
>>> 
>>> In sections 7.1.2.1(e) and 7.1.2.2(h) change the organizationName line to read:
>>> "-  organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”."
>>> 
>>> Replace "Subordiate" with "Subordinate" in the title of 7.1.6.3.
>>> 
>>> In section 9.6.1 item 6:
>>> - Insert "are the same entity or" immediately prior to "are 
>>> Affiliated";
>>> - Remove "and accepted".
>>> 
>>> In section 9.6.3, replace "agreement to the Terms of Use agreement." with "acknowledgement of the Terms of Use."
>>> 
>>> In section 9.6.3 item 2, replace "maintain sole control" with "assure control".
>>> 
>>> In the following sections, replace all occurrences of "Subscriber or Terms of Use Agreement" with "Subscriber Agreement or Terms of Use".
>>> - Section 1.6.1, in the definition of "Subscriber"
>>> - Section 4.1.2
>>> - Section 4.9.1.1
>>> - Section 4.9.11
>>> - Section 9.6.1
>>> - Section 9.6.3
>>> 
>>> -- MOTION ENDS --
>>> 
>>> The review period for this ballot shall commence at 2200 UTC on 7 April 2016, and will close at 2200 UTC on 14 April 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 21 April 2016. Votes must be cast by posting an on-list reply to this thread.
>>> 
>>> A vote in favor of the motion must indicate a clear 'yes' in the 
>>> response. A vote against must indicate a clear 'no' in the response. 
>>> A vote to abstain must indicate a clear 'abstain' in the response. 
>>> Unclear responses will not be counted. The latest vote received from 
>>> any representative of a voting member before the close of the voting 
>>> period will be counted. Voting members are listed here: 
>>> https://cabforum.org/members/
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 
> <table class="TM_EMAIL_NOTICE"><tr><td><pre>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. 
> If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
> </pre></td></tr></table>




More information about the Public mailing list