[cabfpub] Draft Ballot - Baseline Requirements Corrections

Rick Andrews Rick_Andrews at symantec.com
Wed Mar 30 18:54:22 UTC 2016

Peter, you've done a lot of work here, and I don't want to appear ungrateful, but it's difficult to follow some of these changes. In the past, others have submitted ballots with redlined Word or pdf docs to make it easier to see exactly what is changing. Would it be possible to do that for this ballot?


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Monday, March 28, 2016 5:27 PM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Draft Ballot - Baseline Requirements Corrections


Here is the combined set of changes from the corrections thread.  It does not include allowing underscore in FQDNs nor does it allow U-labels in commonName attributes, as these did not appear to have consensus.  It does include a basic proposed change to the allowable content of the organizationName field of CA certificates, to match what is allowed in non-CA certificates, as an attempt to incorporate feedback from discussion on that topic.

I’ve proposed making these immediately effective, as I did not hear people calling out a need for time to implement.



Ballot 1XX: Baseline Requirements Corrections
The following motion has been proposed by Peter Bowen of Amazon and endorsed by _____________ of _____________ and __________ of ____________:


A number of small corrections and clarifications to the Baseline Requirements have been identified.  These are, in general, changes that reflect the existing understanding of the Baseline Requirements by the Forum.  Due to the understanding that these primarily represent existing practice, they are combined for efficiency.


Effective the date of passage, the following modifications to the Baseline Requirements are adopted:

In Section 1.6.1:
- In the definition of "Applicant Representative", replace "and agrees to the Certificate Terms of Use" with "the Terms of Use" and append "or is the CA" at the end of the definition;
- In the definition of "Terms of Use", append "or is the CA" at the end of the definition;
- In the definition of "Wildcard Certificate", replace "an asterisk (*) in the left‐most position of any of the Subject Fully‐Qualified Domain Names" with "a Wildcard DN in any of the Subject Alternative Name dNSNames";
- Insert a new definition: "Wildcard Domain Name (Wildcard DN): A Domain Name formed by prepending '*.' to a FQDN"

In section
- Replace "wildcard character (*)" with "Wildcard DN";
- Replace "wildcard character occurs in the first label position to the left of" with "FQDN portion of the Wildcard DN is";
- Replace " a wildcard would fall within the label immediately to the left of a registry‐controlled† or public suffix," with "so,";
- Replace "“*.example.com” to Example Co." with "“*.example” if the .example gTLD includes Specification 13 in its registry agreement".

Move the content in section 3.3.1 to section 4.2.1 to become the third paragraph in 4.2.1 and leave section 3.3.1 blank.

In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960".

In section 5.2.2, insert "CA" immediately before "Private Key".

In section 6.1.2, append "without authorization by the Subscriber" to the end of the first sentence.

In section 6.1.6, update the last citation to read: "[Source: Sections and, respectively, of NIST SP 56A: Revision 2]"

In section 6.2, in the second sentence, insert "CA" immediately before both instances of "Private Key".

In section 6.2.5, append "without authorization by the Subordinate CA" to the end of the sentence.

In section 7, insert the following introduction paragraph:
"All Certificates and Certificate Revocation Lists SHALL comply with RFC 5280 and RFC 6818.  They SHALL additionally comply with RFC3279, RFC4055, RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key Info and the Signature Algorithm present in the certificate."

In sections and change the organizationName line to read:
 "-  organizationName (OID This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”."

Change the title of section to "Subject Information - Subscriber Certificates".

In section, replace "Wildcard FQDNs are permitted." with "Wildcard DNs are permitted as an exception to RFC5280 and X.509".

In section 9.6.1 item 6:
- Insert "are the same entity or" immediately prior to "are Affiliated";
- Remove "and accepted".

In section 9.6.3, replace "agreement to the Terms of Use agreement." with "acknowledgement of the Terms of Use."

In section 9.6.3 item 2, replace "maintain sole control" with "assure control".

In the following sections, replace all occurrences of "Subscriber or Terms of Use Agreement" with "Subscriber Agreement or Terms of Use".
- Section 1.6.1, in the definition of "Subscriber"
- Section 4.1.2
- Section
- Section 4.9.11
- Section 9.6.1
- Section 9.6.3


Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160330/35f1a4f2/attachment-0001.p7s>

More information about the Public mailing list