[cabfpub] RFC5280

Moudrick M. Dadashov md at ssc.lt
Fri Feb 26 12:35:36 UTC 2016 

Doug, in similar cases a standard (like BR) would list the 
referenced/incorporated requirements/rules under the "Normative 
documents" section.

Maybe we should add this to BRs?

Thanks,
M.D.

your question leads to another another question: should we list those 
external documents that have "normative" impact on BRs

On 2/25/2016 10:30 PM, Doug Beattie wrote:
>
> Good questions Jeremy.
>
> I hate to ask, but is rfc 5019 another RFC that must be met in order 
> to be BR compliant, and will any errors there be warnings or full 
> audit findings?  There are a lot of rules about cache values which we 
> might not be all compliant with.
>
> https://certificate.revocationcheck.com/
>
> *From:* public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Jeremy Rowley
> *Sent:* Wednesday, February 24, 2016 1:56 PM
> *To:* public at cabforum.org
> *Subject:* [cabfpub] RFC5280
>
> I’ve been playing around with Peter Bowen’s certlint (an excellent 
> tool) and, looking at the cert universe as a whole, there are some 
> noticeable issues with the BRs and RFC 5280 that I though merited a 
> public CAB Forum discussion.  Some of this is likely me not knowing 
> the entire history of 5280, so I appreciated any explanation. If 
> there’s exceptions we would like to make to RFC5280, we should 
> probably also push a bis with IETF at the same time.
>
> Here’s what I’m noticing are common issues:
>
> 1)Org names, common names,  and address fields are limited to 64 
> characters. Very few international companies can comply with this 
> restriction. It’s even worse if you are converting an IDN to a 
> printable string.  I don’t think any browsers limit this to 64 
> characters?  Is there a strong objection to permitting longer strings 
> in these fields?
>
> 2)keyAgreement isn’t specifically prohibited in the BRs or 5280. 
> However, keyAgreement should no longer be used in ECC certs because of 
> security issues as explained by Ryan Sleevi in previous emails . We 
> should update the BRs to prohibit keyAgreement.
>
> 3)Years ago, we discussed that 2047 bit certs were equivalent to 2048 
> bit certs (although the discussion may have occurred solely on the 
> Mozilla mailing list).  We should codify this exception.
>
> 4)Why is teletext string not permissible on a lot of these fields? I 
> also don’t understand the weird requirement to use printablestring 
> over UTRF8 for some fields. Specifically, requiring a printable string 
> for subject:serialNumber could cause issues with the EV Guidelines if 
> a country uses an IDN as part of their registration number.
>
> Thoughts?
>
> Jeremy
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160226/9eef4c98/attachment-0003.html>

More information about the Public mailing list