[cabfpub] Draft Ballot - Baseline Requirements Corrections
pzb at amzn.com
Thu Mar 31 23:06:53 UTC 2016
Here is a revised draft. It removes the wildcard changes and fixes a few small typos. Any more changes or does anyone want to endorse?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CA-Browser Forum BR 1.3.3-corrections.2.doc
Size: 578560 bytes
Desc: not available
-------------- next part --------------
> On Mar 30, 2016, at 9:17 PM, Peter Bowen <pzb at amzn.com> wrote:
> Here is a redlined version in MS Word format.<CA-Browser Forum BR 1.3.3-corrections.doc>
>> On Mar 30, 2016, at 11:54 AM, Rick Andrews <rick_andrews at symantec.com> wrote:
>> Peter, you've done a lot of work here, and I don't want to appear ungrateful, but it's difficult to follow some of these changes. In the past, others have submitted ballots with redlined Word or pdf docs to make it easier to see exactly what is changing. Would it be possible to do that for this ballot?
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
>> Sent: Monday, March 28, 2016 5:27 PM
>> To: CABFPub <public at cabforum.org>
>> Subject: [cabfpub] Draft Ballot - Baseline Requirements Corrections
>> Here is the combined set of changes from the corrections thread. It does not include allowing underscore in FQDNs nor does it allow U-labels in commonName attributes, as these did not appear to have consensus. It does include a basic proposed change to the allowable content of the organizationName field of CA certificates, to match what is allowed in non-CA certificates, as an attempt to incorporate feedback from discussion on that topic.
>> I?ve proposed making these immediately effective, as I did not hear people calling out a need for time to implement.
>> Ballot 1XX: Baseline Requirements Corrections
>> The following motion has been proposed by Peter Bowen of Amazon and endorsed by _____________ of _____________ and __________ of ____________:
>> A number of small corrections and clarifications to the Baseline Requirements have been identified. These are, in general, changes that reflect the existing understanding of the Baseline Requirements by the Forum. Due to the understanding that these primarily represent existing practice, they are combined for efficiency.
>> -- MOTION BEGINS --
>> Effective the date of passage, the following modifications to the Baseline Requirements are adopted:
>> In Section 1.6.1:
>> - In the definition of "Wildcard Certificate", replace "an asterisk (*) in the left?most position of any of the Subject Fully?Qualified Domain Names" with "a Wildcard DN in any of the Subject Alternative Name dNSNames";
>> - Insert a new definition: "Wildcard Domain Name (Wildcard DN): A Domain Name formed by prepending '*.' to a FQDN"
>> In section 188.8.131.52:
>> - Replace "wildcard character (*)" with "Wildcard DN";
>> - Replace "wildcard character occurs in the first label position to the left of" with "FQDN portion of the Wildcard DN is";
>> - Replace " a wildcard would fall within the label immediately to the left of a registry?controlled? or public suffix," with "so,";
>> - Replace "?*.example.com? to Example Co." with "?*.example? if the .example gTLD includes Specification 13 in its registry agreement".
>> Move the content in section 3.3.1 to section 4.2.1 to become the third paragraph in 4.2.1 and leave section 3.3.1 blank.
>> In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960".
>> In section 5.2.2, insert "CA" immediately before "Private Key".
>> In section 6.1.2, append "without authorization by the Subscriber" to the end of the first sentence.
>> In section 6.1.6, update the last citation to read: "[Source: Sections 184.108.40.206.2 and 220.127.116.11.3, respectively, of NIST SP 56A: Revision 2]"
>> In section 6.2, in the second sentence, insert "CA" immediately before both instances of "Private Key".
>> In section 6.2.5, append "without authorization by the Subordinate CA" to the end of the sentence.
>> In section 7, insert the following introduction paragraph:
>> "All Certificates and Certificate Revocation Lists SHALL comply with RFC 5280 and RFC 6818. They SHALL additionally comply with RFC3279, RFC4055, RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key Info and the Signature Algorithm present in the certificate."
>> In sections 18.104.22.168(e) and 22.214.171.124(h) change the organizationName line to read:
>> "- organizationName (OID 126.96.36.199): This field MUST be present and the contents MUST contain either the Subject CA?s name or DBA as verified under Section 188.8.131.52. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows ?Company Name Incorporated?, the CA MAY use ?Company Name Inc.? or ?Company Name?."
>> Change the title of section 184.108.40.206 to "Subject Information - Subscriber Certificates".
>> In section 220.127.116.11.1, replace "Wildcard FQDNs are permitted." with "Wildcard DNs are permitted as an exception to RFC5280 and X.509".
>> In section 9.6.1 item 6:
>> - Insert "are the same entity or" immediately prior to "are Affiliated";
>> - Remove "and accepted".
>> In section 9.6.3 item 2, replace "maintain sole control" with "assure control".
>> - Section 1.6.1, in the definition of "Subscriber"
>> - Section 4.1.2
>> - Section 18.104.22.168
>> - Section 4.9.11
>> - Section 9.6.1
>> - Section 9.6.3
>> -- MOTION ENDS --
>> Public mailing list
>> Public at cabforum.org
> Public mailing list
> Public at cabforum.org
More information about the Public