Moudrick M. Dadashov
md at ssc.lt
Fri Feb 26 12:35:36 UTC 2016
Doug, in similar cases a standard (like BR) would list the
referenced/incorporated requirements/rules under the "Normative
Maybe we should add this to BRs?
your question leads to another another question: should we list those
external documents that have "normative" impact on BRs
On 2/25/2016 10:30 PM, Doug Beattie wrote:
> Good questions Jeremy.
> I hate to ask, but is rfc 5019 another RFC that must be met in order
> to be BR compliant, and will any errors there be warnings or full
> audit findings? There are a lot of rules about cache values which we
> might not be all compliant with.
> *From:* public-bounces at cabforum.org
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Jeremy Rowley
> *Sent:* Wednesday, February 24, 2016 1:56 PM
> *To:* public at cabforum.org
> *Subject:* [cabfpub] RFC5280
> I’ve been playing around with Peter Bowen’s certlint (an excellent
> tool) and, looking at the cert universe as a whole, there are some
> noticeable issues with the BRs and RFC 5280 that I though merited a
> public CAB Forum discussion. Some of this is likely me not knowing
> the entire history of 5280, so I appreciated any explanation. If
> there’s exceptions we would like to make to RFC5280, we should
> probably also push a bis with IETF at the same time.
> Here’s what I’m noticing are common issues:
> 1)Org names, common names, and address fields are limited to 64
> characters. Very few international companies can comply with this
> restriction. It’s even worse if you are converting an IDN to a
> printable string. I don’t think any browsers limit this to 64
> characters? Is there a strong objection to permitting longer strings
> in these fields?
> 2)keyAgreement isn’t specifically prohibited in the BRs or 5280.
> However, keyAgreement should no longer be used in ECC certs because of
> security issues as explained by Ryan Sleevi in previous emails . We
> should update the BRs to prohibit keyAgreement.
> 3)Years ago, we discussed that 2047 bit certs were equivalent to 2048
> bit certs (although the discussion may have occurred solely on the
> Mozilla mailing list). We should codify this exception.
> 4)Why is teletext string not permissible on a lot of these fields? I
> also don’t understand the weird requirement to use printablestring
> over UTRF8 for some fields. Specifically, requiring a printable string
> for subject:serialNumber could cause issues with the EV Guidelines if
> a country uses an IDN as part of their registration number.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public