[cabfpub] Proposed Ballot 184 - Allowing 822 Names and (limited) otherNames

Scott Rea scott at scottrea.com
Mon Jan 9 23:20:19 MST 2017


G'day folks,

For the record, I am comfortable with all of Jeremy's proposal with one
caveat - I agree with Ryan/Rob/others etc that we should be looking to
bring the BRs back into compliance with RFC5280 or rather RFC6818 which
is the latest update to 5280 I believe.

I don't necessarily agree that the right path to achieving this is to
mandate that WFA needs to join CABF so they can be represented in the
discussion - that is entirely up to their community to decide if they
want to, or perhaps CABF can invite them if it desires.

Right now we have a consideration from an existing member who has given
us reasons for why they are asking for a change. All the changes look
fine to me with the exception of the potential to run afoul of the RFC
which was only temporarily relaxed for practicality reasons.

Jeremy, if you can live without the criticality portion of the proposal,
then the rest of the proposal should not provide any barriers from my
perspective.

CABF has been clear about the temporary nature of that relaxation and
the desire to re-adjust that when it practically can. That timetable
should be based on Apples efforts for compliance with the RFCs and no
consideration should be given whatsoever to WFA since they are not a
part of this community.

And yes, even though DigiCert is a member of the community, we put them
on notice with any accepted change that the current relaxation has a
short lifetime and after a certain date, it will be ratified with RFC
recommendation. Jeremy can then choose to issue his dual certs today
with the foreknowledge of their likely limited acceptance, or he can go
back to WFA and petition them to change their profiles (we don't really
care, but he did say that WFA made their decision on criticality for
much the same reason CABF did, which if this is the case, then I think
the two trust communities are actually aligned on this so this should be
a non-issue)

Regards,
_Scott

On 1/10/2017 3:36 AM, Kirk Hall via Public wrote:
> Everyone – please make sure your Subject line for this topic says
> “Ballot 184” (Jeremy’s new ballot number, adopted a couple of days
> ago).  Ballot 183 is the voting rules draft that Virginia is working on.
> 
>  
> 
> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Geoff
> Keating via Public
> *Sent:* Monday, January 9, 2017 2:24 PM
> *To:* Rob Stradling <rob.stradling at comodo.com>
> *Cc:* Geoff Keating <geoffk at apple.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Subject:* Re: [cabfpub] Proposed Ballot 183 - Allowing 822 Names and
> (limited) otherNames
> 
>  
> 
> 
> 
>     On Jan 9, 2017, at 1:10 PM, Rob Stradling <rob.stradling at comodo.com
>     <mailto:rob.stradling at comodo.com>> wrote:
> 
>     On 09/01/17 17:39, Rich Smith via Public wrote:
>     <snip>
> 
>         Scenario:
>         We ignore this and Ryan's arguments against, and we pass this
>         proposal.
>         Next month we decide that the various browsers all now have enough
>         support for critical name constraints to update the BRs to MUST, but
>         because it will break your newly authorized dual-use certs
>         Digicert is
>         now arguing against bringing the BRs back into full compliance
>         w/RFC5280.
> 
> 
>     Geoff,
> 
>     Would you (or anyone else from Apple) be able to provide CABForum
>     with data on the % of currently deployed Apple devices that support
>     critical name constraints?
> 
> 
> Sure, although of course only public data.  We have this page:
> 
> https://developer.apple.com/support/app-store/
> 
> which shows that "76% of devices are using iOS 10” and an additional 18%
> using iOS 9, as of January 4, for a total of 94% supporting name
> constraints.  For macOS, I don’t believe Apple publishes numbers, but
> there’s public data here:
> 
>  
> 
> http://netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
> 
>  
> 
> which if you strip out the non-macOS systems, looks like this:
> 
>  
> 
>  
> 
> for 68% of devices running macOS 10.12 or OS X 10.11 in December 2017,
> and so supporting name constraints.  (I won't endorse the accuracy of
> the netmarketshare numbers, but they explain their methodology and so
> you can form your own opinion.)
> 
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 

-- 
Scott Rea, MSc, CISSP
Ph# (801) 874-4114


More information about the Public mailing list