[cabfpub] Defining BR scope

Gervase Markham gerv at mozilla.org
Thu Feb 4 14:42:32 UTC 2016

Hi Rob,

You're doing OK ;-)

On 04/02/16 13:51, Rob Stradling wrote:
>   2. The cert contains at least ONE of the following:
>     a) A SAN.dNSName, containing any value.
>     b) A SAN.iPAddress, containing any value.
>     c) A Subject.CN, containing any value that ends with an
> IANA-registered TLD preceded by a ".".

The trouble with this is that it rules internal server name certs out of
scope, as long as they use CN and not SAN. So if this were our scope
statement since the beginning, we could not have forced the deprecation
of internal server names.

>   3. The cert chains up to a publicly-trusted root certificate.

This is also problematic, because there is not a single definition of
"publicly-trusted". You might say "a root enabled for SSL in the root
store of any CAB Forum browser member"?


More information about the Public mailing list