[cabfpub] Defining BR scope
Rob Stradling
rob.stradling at comodo.com
Thu Feb 4 15:20:19 UTC 2016
On 04/02/16 14:42, Gervase Markham wrote:
> Hi Rob,
>
> You're doing OK ;-)
>
> On 04/02/16 13:51, Rob Stradling wrote:
>> 2. The cert contains at least ONE of the following:
>> a) A SAN.dNSName, containing any value.
>> b) A SAN.iPAddress, containing any value.
>> c) A Subject.CN, containing any value that ends with an
>> IANA-registered TLD preceded by a ".".
>
> The trouble with this is that it rules internal server name certs out of
> scope, as long as they use CN and not SAN. So if this were our scope
> statement since the beginning, we could not have forced the deprecation
> of internal server names.
Indeed. But I think we have to either a) define a not-quite-perfect
scope, or b) continue to have an unclear scope.
I prefer a.
>> 3. The cert chains up to a publicly-trusted root certificate.
>
> This is also problematic, because there is not a single definition of
> "publicly-trusted". You might say "a root enabled for SSL in the root
> store of any CAB Forum browser member"?
Sure. This part isn't the sticking point, so I thought I could get away
with being a bit handwavy. ;-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list