[cabfpub] Draft Ballot - Baseline Requirements Corrections
Rick_Andrews at symantec.com
Wed Mar 30 18:54:22 UTC 2016
Peter, you've done a lot of work here, and I don't want to appear ungrateful, but it's difficult to follow some of these changes. In the past, others have submitted ballots with redlined Word or pdf docs to make it easier to see exactly what is changing. Would it be possible to do that for this ballot?
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Monday, March 28, 2016 5:27 PM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Draft Ballot - Baseline Requirements Corrections
Here is the combined set of changes from the corrections thread. It does not include allowing underscore in FQDNs nor does it allow U-labels in commonName attributes, as these did not appear to have consensus. It does include a basic proposed change to the allowable content of the organizationName field of CA certificates, to match what is allowed in non-CA certificates, as an attempt to incorporate feedback from discussion on that topic.
I’ve proposed making these immediately effective, as I did not hear people calling out a need for time to implement.
Ballot 1XX: Baseline Requirements Corrections
The following motion has been proposed by Peter Bowen of Amazon and endorsed by _____________ of _____________ and __________ of ____________:
A number of small corrections and clarifications to the Baseline Requirements have been identified. These are, in general, changes that reflect the existing understanding of the Baseline Requirements by the Forum. Due to the understanding that these primarily represent existing practice, they are combined for efficiency.
-- MOTION BEGINS --
Effective the date of passage, the following modifications to the Baseline Requirements are adopted:
In Section 1.6.1:
- In the definition of "Wildcard Certificate", replace "an asterisk (*) in the left‐most position of any of the Subject Fully‐Qualified Domain Names" with "a Wildcard DN in any of the Subject Alternative Name dNSNames";
- Insert a new definition: "Wildcard Domain Name (Wildcard DN): A Domain Name formed by prepending '*.' to a FQDN"
In section 126.96.36.199:
- Replace "wildcard character (*)" with "Wildcard DN";
- Replace "wildcard character occurs in the first label position to the left of" with "FQDN portion of the Wildcard DN is";
- Replace " a wildcard would fall within the label immediately to the left of a registry‐controlled† or public suffix," with "so,";
- Replace "“*.example.com” to Example Co." with "“*.example” if the .example gTLD includes Specification 13 in its registry agreement".
Move the content in section 3.3.1 to section 4.2.1 to become the third paragraph in 4.2.1 and leave section 3.3.1 blank.
In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960".
In section 5.2.2, insert "CA" immediately before "Private Key".
In section 6.1.2, append "without authorization by the Subscriber" to the end of the first sentence.
In section 6.1.6, update the last citation to read: "[Source: Sections 188.8.131.52.2 and 184.108.40.206.3, respectively, of NIST SP 56A: Revision 2]"
In section 6.2, in the second sentence, insert "CA" immediately before both instances of "Private Key".
In section 6.2.5, append "without authorization by the Subordinate CA" to the end of the sentence.
In section 7, insert the following introduction paragraph:
"All Certificates and Certificate Revocation Lists SHALL comply with RFC 5280 and RFC 6818. They SHALL additionally comply with RFC3279, RFC4055, RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key Info and the Signature Algorithm present in the certificate."
In sections 220.127.116.11(e) and 18.104.22.168(h) change the organizationName line to read:
"- organizationName (OID 22.214.171.124): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 126.96.36.199. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”."
Change the title of section 188.8.131.52 to "Subject Information - Subscriber Certificates".
In section 184.108.40.206.1, replace "Wildcard FQDNs are permitted." with "Wildcard DNs are permitted as an exception to RFC5280 and X.509".
In section 9.6.1 item 6:
- Insert "are the same entity or" immediately prior to "are Affiliated";
- Remove "and accepted".
In section 9.6.3 item 2, replace "maintain sole control" with "assure control".
- Section 1.6.1, in the definition of "Subscriber"
- Section 4.1.2
- Section 220.127.116.11
- Section 4.9.11
- Section 9.6.1
- Section 9.6.3
-- MOTION ENDS --
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5749 bytes
Desc: not available
More information about the Public