[cabfpub] Draft CAA motion (3)

Ryan Sleevi sleevi at google.com
Fri Jan 13 10:36:23 MST 2017


On Fri, Jan 13, 2017 at 7:23 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> On 13/01/17 14:55, Doug Beattie wrote:
> > I'd suggest we include exactly what is required in the ballot and if
> > the RFC changes then we have a new ballot to specify the changes and
> > effective dates.
>
> Well, it's not the RFC that would change - if it was, that would be
> simpler :-) It's the extension registries.
>
> Text proposals welcome.
>

CAs MUST support the issue, issuewild, and iodef property tags. Additional
property tags MAY be supported, but MUST NOT conflict with or supersede the
mandatory property tags set out in this document. CAs MUST respect the
critical flag and reject any unrecognized properties with this set.

Is just one stab. I think Doug's on the money that it does make sense to
highlight what's mandatory to implement, what's optional. If you
particularly aren't sure how to word this, I think RFC 5280 provides enough
examples that may be (hopefully) accessible to CAs and auditors,
considering how extensions like basicConstraints or nameConstraints are
specified.

The above wording is mostly to make sure we don't have CA inventing
something that says "I get to ignore everything" and then claiming
compliance - that's why it tries to lay out the 'no sneaky tricks' in the
MUST NOT.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170113/24e1f4bd/attachment.html>


More information about the Public mailing list