[cabfpub] Misissuance of certificates

Peter Bowen pzb at amzn.com
Mon Jan 18 17:59:26 UTC 2016


The BRs apply to both “SSL” certificates and Extended Validation Code Signing certificates.

To me, this translates to excluding certificates which have one or more key purposes defined and do not include the id-kp-serverAuth key purpose.

The exception is where the key purposes include id-kp-codeSigning and the subject distinguished name includes an attribute of type 1.3.6.1.4.1.311.60.2.1.3, as these are EVCS certificates, so are in scope.  Given that the Code Signing BR ballot failed, other code signing certificates are not in scope.

Thanks,
Peter

> On Jan 18, 2016, at 9:16 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> 
> I thought the BRs only applied to SSL certificates, are you proposing that CAs track and report on more than just SSL certificates?  That surely goes beyond the BRs and the scope of CABF.
> 
> I personally feel strongly that the CABF, as a standards forum, should be focused on improving security and defining strong standards, but that compliance is a completely different group.  This is why we have WT for CA audits and also root programs which can levy compliance and reporting requirements on CAs.  If the Root store operators and WT want to get together and lead the definition of a compliance monitoring standard/initiative that's fine, but I'm against CABF getting into that business. 
> 
> Doug
> 
> 
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
> Sent: Monday, January 18, 2016 12:01 PM
> To: Sigbjørn Vik <sigbjorn at opera.com>; public at cabforum.org
> Subject: Re: [cabfpub] Misissuance of certificates
> 
> On 18/01/16 11:58, Sigbjørn Vik wrote:
>> No. The current understanding of the scope is all certificates 
>> chaining to a root embedded in public browsers. A CA can choose itself 
>> which roots are in scope, but not individual certificates.
> 
> Technically constraining it _does_ change some things. But if I remember correctly, those relate to other root program requirements, rather than to the BRs.
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list