[cabfpub] Ballot 189 - Amend Section 6.1.7 of Baseline Requirements
Ryan Sleevi
sleevi at google.com
Thu Mar 30 11:20:35 MST 2017
On Thu, Mar 30, 2017 at 1:03 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:
>
> The intention is that it MUST NOT be permitted to directly sign a
> id-kp-timeStamping certificate from such a Root. The reason behind this is
> that only Roots that participate in a hierarchy that eventually issues
> publicly trusted SSL certificates should have this rule. Roots that
> participate in a hierarchy that does not issue SSL end-entity certificates
> should not need to follow this rule. Could you please offer some
> improvement language to make this clearer?
>
Thanks for clarifying the intent.
I'm unsure what the issue is with the original wording, which I think made
that clear:
"Root CA Private Keys MUST NOT be used to sign Certificates except in the
following cases:"
Why doesn't that sufficiently address it? As I understand it, your concern
was related to whether id-kp-timeStamping relates to "infrastructure"
certificates, but that doesn't seem to have been addressed/clarified in a
way that would move closer to that goal, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170330/330303e4/attachment.html>
More information about the Public
mailing list