[cabfpub] Defining BR scope

Peter Bowen pzb at amzn.com
Thu Feb 4 15:11:29 UTC 2016

> On Feb 4, 2016, at 6:42 AM, Gervase Markham <gerv at mozilla.org> wrote:
> Hi Rob,
> You're doing OK ;-)
> On 04/02/16 13:51, Rob Stradling wrote:
>>  2. The cert contains at least ONE of the following:
>>    a) A SAN.dNSName, containing any value.
>>    b) A SAN.iPAddress, containing any value.
>>    c) A Subject.CN, containing any value that ends with an
>> IANA-registered TLD preceded by a ".".
> The trouble with this is that it rules internal server name certs out of
> scope, as long as they use CN and not SAN. So if this were our scope
> statement since the beginning, we could not have forced the deprecation
> of internal server names.

How about this:

c) A commonName in the Subject containing a value which does not include a space character surrounded by letter, number, or symbol characters.

(This avoids <space> + FQDN)

>>  3. The cert chains up to a publicly-trusted root certificate.
> This is also problematic, because there is not a single definition of
> "publicly-trusted". You might say "a root enabled for SSL in the root
> store of any CAB Forum browser member"?

I don’t think this needs to be defined.  The CA is either in scope of a BR audit or it is not.  All certificates issued by that CA the meet the other criteria are in scope.


More information about the Public mailing list