[cabfpub] Defining BR scope

Rob Stradling rob.stradling at comodo.com
Thu Feb 4 15:20:19 UTC 2016

On 04/02/16 14:42, Gervase Markham wrote:
> Hi Rob,
> You're doing OK ;-)
> On 04/02/16 13:51, Rob Stradling wrote:
>>    2. The cert contains at least ONE of the following:
>>      a) A SAN.dNSName, containing any value.
>>      b) A SAN.iPAddress, containing any value.
>>      c) A Subject.CN, containing any value that ends with an
>> IANA-registered TLD preceded by a ".".
> The trouble with this is that it rules internal server name certs out of
> scope, as long as they use CN and not SAN. So if this were our scope
> statement since the beginning, we could not have forced the deprecation
> of internal server names.

Indeed.  But I think we have to either a) define a not-quite-perfect 
scope, or b) continue to have an unclear scope.

I prefer a.

>>    3. The cert chains up to a publicly-trusted root certificate.
> This is also problematic, because there is not a single definition of
> "publicly-trusted". You might say "a root enabled for SSL in the root
> store of any CAB Forum browser member"?

Sure.  This part isn't the sticking point, so I thought I could get away 
with being a bit handwavy.  ;-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list