[cabfpub] Defining BR scope
pzb at amzn.com
Thu Feb 4 15:11:29 UTC 2016
> On Feb 4, 2016, at 6:42 AM, Gervase Markham <gerv at mozilla.org> wrote:
> Hi Rob,
> You're doing OK ;-)
> On 04/02/16 13:51, Rob Stradling wrote:
>> 2. The cert contains at least ONE of the following:
>> a) A SAN.dNSName, containing any value.
>> b) A SAN.iPAddress, containing any value.
>> c) A Subject.CN, containing any value that ends with an
>> IANA-registered TLD preceded by a ".".
> The trouble with this is that it rules internal server name certs out of
> scope, as long as they use CN and not SAN. So if this were our scope
> statement since the beginning, we could not have forced the deprecation
> of internal server names.
How about this:
c) A commonName in the Subject containing a value which does not include a space character surrounded by letter, number, or symbol characters.
(This avoids <space> + FQDN)
>> 3. The cert chains up to a publicly-trusted root certificate.
> This is also problematic, because there is not a single definition of
> "publicly-trusted". You might say "a root enabled for SSL in the root
> store of any CAB Forum browser member"?
I don’t think this needs to be defined. The CA is either in scope of a BR audit or it is not. All certificates issued by that CA the meet the other criteria are in scope.
More information about the Public