[cabfpub] RFC5280-related Ballot - For Discussion

Ben Wilson ben.wilson at digicert.com
Fri Apr 14 13:00:35 UTC 2017


I got confused with other strings that are in certificates.  With the change, as noted, would you be willing  to endorse?  Anyone else?

Thanks,

Ben

 

Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678



 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Thursday, April 13, 2017 9:19 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Peter Bowen <pzb at amzn.com>
Subject: Re: [cabfpub] RFC5280-related Ballot - For Discussion

 

Huh?  Why would you need to use UTF8String?

 

IA5String allows underscore characters, as it is a super set of X3.4 (1968).  It also allows $, %, &, *, +, @ and many other characters.  

 

Were you maybe confusing IA5String with PrintableString, where the latter does not allow underscore, @, etc?

 

On Apr 11, 2017, at 1:42 PM, Ryan Sleevi via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

 

No, encoding it as a UTF8String is not valid in the subjectAltName (whose type dNSName is defined as IA5String)

 

On Tue, Apr 11, 2017 at 4:31 PM, Ben Wilson via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

If the ballot were amended to address only underscore characters (and delete outdated content), would there be any endorsers?  See attached.

 

Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678 <tel:(801)%20701-9678> 

<image003.jpg>

 

From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Peter Bowen via Public
Sent: Tuesday, April 11, 2017 10:23 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Cc: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com> >


Subject: Re: [cabfpub] RFC5280-related Ballot - For Discussion

 

 

I agree.  There seems to be quite a bit of opposition on the PKIX list to extending the length.  It was reasonably pointed out that things that process ASN.1 according to the schema will break.

 

However I would point out that this also rolls the other way — adding underscore should be safe, as the ASN.1 schema already allows this.

 

On Apr 10, 2017, at 12:33 PM, Ryan Sleevi via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

 

That's an interesting take. I read the same discussions and took quite the opposite conclusion.

 

On Mon, Apr 10, 2017 at 3:23 PM, Ben Wilson via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

All,

 

I’ve posted the proposal to the PKIX list and haven’t heard sufficient opposition on that list, IMHO, that would merit holding up this proposed revision to the Baseline Requirements.  I need two endorsers for a ballot.

 

Thanks,

 

Ben   

 

From: Ryan Sleevi [mailto: <mailto:sleevi at google.com> sleevi at google.com] 
Sent: Monday, April 3, 2017 9:59 AM
To: CA/Browser Forum Public Discussion List < <mailto:public at cabforum.org> public at cabforum.org>
Cc: Ben Wilson < <mailto:ben.wilson at digicert.com> ben.wilson at digicert.com>
Subject: Re: [cabfpub] RFC5280-related Ballot - For Discussion

 

For those who want to understand why the IETF rejected this change, the thread begins at 

 

https://mailarchive.ietf.org/arch/msg/pkix/MJwKL1lqRDuEAhqQ1Ydb5eWBSIs/?qid=ace7ed4844045716922706d6a80b0747

 

You can also see https://datatracker.ietf.org/liaison/376/ and the discussion at https://www.ietf.org/mail-archive/web/pkix/current/msg02361.html

 

This was reviewed prior to the production of 5280 - that is, it was known at the time 5280 was produced, and was decided not to adopt - see https://www.ietf.org/mail-archive/web/pkix/current/msg02357.html and https://www.ietf.org/mail-archive/web/pkix/current/msg02336.html

 

On Mon, Apr 3, 2017 at 11:22 AM, Ben Wilson via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Here is a redlined version of sections 7.1.4.2.1 and 7.1.4.2.2 of the Baseline Requirements which proposes amendments to the way the Baseline Requirements handle the maximum length for subjectAltName, commonName and organizationName and also clarifies the use of the underscore character.

 

 

Ben Wilson, JD, CISA, CISSP

VP Compliance

 <tel:(801)%20701-9678> +1 801 701 9678

<image003.jpg>

 


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/4c9183bf/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 6120 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/4c9183bf/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/4c9183bf/attachment-0001.p7s>


More information about the Public mailing list