[cabfpub] Defining BR scope
pzb at amzn.com
Tue Jan 26 02:44:51 UTC 2016
> On Jan 25, 2016, at 1:39 PM, Ryan Sleevi <sleevi at google.com> wrote:
> On Fri, Jan 22, 2016 at 8:07 AM, Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>> wrote:
> I don’t disagree with this assessment, but the current state of affairs, as I understand it, is that any end-entity certificate that is clearly not for server authentication is already excluded. Many browsers (or should I say ASSes to be BR compliant?) already operate trust stores that recognize a single root to be trusted to issue various kinds of certificates. Mozilla recognizes kp-emailProtection in addition to kp-serverAuth (and still includes kp-codeSigning for many roots), Microsoft recognizes six key purposes other than kp-serverAuth (and includes another four for many roots), and Apple seems to have many recognized key purposes.
> I'm not sure I understand your remark that "any end-entity certificate that is clearly not for server authentication is already excluded.", and was hoping you could explain you see how that flows. I can speculate the reasoning, but would probably explain it poorly, so I was hoping you could expand on where you see the non-BR compliance carveouts being.
The BRs state:
"These Requirements only address Certificates intended to be used for authenticating servers accessible through the Internet. Similar requirements for code signing, S/MIME, time‐stamping, VoIP, IM, Web services, etc. may be covered in future versions.”
This language is in v1.3.1 and was in v1.0. Based on the wording, I think it is clear that it is a statement of inclusion rather than a statement of exclusion, meaning that the default state is not covered by BR and Certificates are only covered by BR when they are "intended to be used for authenticating servers accessible through the Internet”.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public