[cabfpub] RFC5280-related Ballot - For Discussion

Peter Bowen pzb at amzn.com
Fri Apr 14 03:19:00 UTC 2017


Huh?  Why would you need to use UTF8String?

IA5String allows underscore characters, as it is a super set of X3.4 (1968).  It also allows $, %, &, *, +, @ and many other characters.  

Were you maybe confusing IA5String with PrintableString, where the latter does not allow underscore, @, etc?

> On Apr 11, 2017, at 1:42 PM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> No, encoding it as a UTF8String is not valid in the subjectAltName (whose type dNSName is defined as IA5String)
> 
> On Tue, Apr 11, 2017 at 4:31 PM, Ben Wilson via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> If the ballot were amended to address only underscore characters (and delete outdated content), would there be any endorsers?  See attached. <>
>  
> 
> Ben Wilson, JD, CISA, CISSP
> VP Compliance
> +1 801 701 9678 <tel:(801)%20701-9678>
> <image003.jpg>
> 
>  
> 
> From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>] On Behalf Of Peter Bowen via Public
> Sent: Tuesday, April 11, 2017 10:23 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org>>
> Cc: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>>
> 
> 
> Subject: Re: [cabfpub] RFC5280-related Ballot - For Discussion
> 
>  
> 
> I agree.  There seems to be quite a bit of opposition on the PKIX list to extending the length.  It was reasonably pointed out that things that process ASN.1 according to the schema will break.
> 
>  
> 
> However I would point out that this also rolls the other way — adding underscore should be safe, as the ASN.1 schema already allows this.
> 
>  
> 
> On Apr 10, 2017, at 12:33 PM, Ryan Sleevi via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> 
>  
> 
> That's an interesting take. I read the same discussions and took quite the opposite conclusion.
> 
>  
> 
> On Mon, Apr 10, 2017 at 3:23 PM, Ben Wilson via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> 
> All, <>
>  
> 
> I’ve posted the proposal to the PKIX list and haven’t heard sufficient opposition on that list, IMHO, that would merit holding up this proposed revision to the Baseline Requirements.  I need two endorsers for a ballot.
> 
>  
> 
> Thanks,
> 
>  
> 
> Ben   
> 
>  
> 
> From: Ryan Sleevi [mailto:sleevi at google.com <mailto:sleevi at google.com>] 
> Sent: Monday, April 3, 2017 9:59 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org>>
> Cc: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>>
> Subject: Re: [cabfpub] RFC5280-related Ballot - For Discussion
> 
>  
> 
> For those who want to understand why the IETF rejected this change, the thread begins at 
> 
>  
> 
> https://mailarchive.ietf.org/arch/msg/pkix/MJwKL1lqRDuEAhqQ1Ydb5eWBSIs/?qid=ace7ed4844045716922706d6a80b0747 <https://mailarchive.ietf.org/arch/msg/pkix/MJwKL1lqRDuEAhqQ1Ydb5eWBSIs/?qid=ace7ed4844045716922706d6a80b0747>
>  
> 
> You can also see https://datatracker.ietf.org/liaison/376/ <https://datatracker.ietf.org/liaison/376/> and the discussion at https://www.ietf.org/mail-archive/web/pkix/current/msg02361.html <https://www.ietf.org/mail-archive/web/pkix/current/msg02361.html>
>  
> 
> This was reviewed prior to the production of 5280 - that is, it was known at the time 5280 was produced, and was decided not to adopt - see https://www.ietf.org/mail-archive/web/pkix/current/msg02357.html <https://www.ietf.org/mail-archive/web/pkix/current/msg02357.html> and https://www.ietf.org/mail-archive/web/pkix/current/msg02336.html <https://www.ietf.org/mail-archive/web/pkix/current/msg02336.html>
>  
> 
> On Mon, Apr 3, 2017 at 11:22 AM, Ben Wilson via Public <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> 
> Here is a redlined version of sections 7.1.4.2.1 and 7.1.4.2.2 of the Baseline Requirements which proposes amendments to the way the Baseline Requirements handle the maximum length for subjectAltName, commonName and organizationName and also clarifies the use of the underscore character.
> 
>  
> 
>  
> 
> Ben Wilson, JD, CISA, CISSP
> VP Compliance
> +1 801 701 9678 <tel:(801)%20701-9678>
> <image003.jpg>
> 
>  
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
>  
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
>  
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
>  
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public <https://cabforum.org/mailman/listinfo/public>
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170413/46e97848/attachment-0003.html>


More information about the Public mailing list