[cabfpub] Ballot 190

Jeremy Rowley jeremy.rowley at digicert.com
Tue May 2 18:34:22 UTC 2017


Should we include the domain name in that sequence so it’s not ordered? 

 

Such as:  

 

BRComplianceDetails ::= SEQUENCE {

            dNSName                   IA5String,

            version                        OBJECT IDENTIFIER,

            validationMethod        INTEGER

}

 

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Monday, May 1, 2017 9:18 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Ballot 190

 

Well, I was discussing in the broader context :)

 

For example, you "could" simply indicate

 

BRComplianceDetails ::= SEQUENCE {

  version   OBJECT IDENTIFIER,

  validationMethod  INTEGER

}

 

As an extension

 

There are, of course, more efficient ways to structure this data (for example, expandable enum of INTEGER values for version). I just provided this as a quick and dirty example of how you could provide this information within a certificate in a clear and auditable way. It could allow, for example, auditors to ensure that their random sampling methodology appropriately covered all validation methods the CA practiced, without undermining the purpose and value of sampling.

 

On Mon, May 1, 2017 at 11:13 AM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

How does this work if the intermediate doesn't contain the anyPolicy OID?

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Gervase
Markham via Public
Sent: Monday, May 1, 2017 9:08 AM
To: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >; CA/Browser Forum Public Discussion List
<public at cabforum.org <mailto:public at cabforum.org> >
Cc: Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> >
Subject: Re: [cabfpub] Ballot 190

On 01/05/17 16:02, Ryan Sleevi wrote:
> I did. It allows users to make an informed decision of the
> trustworthiness of the information presented in the certificate, much
> like EV policy OIDs and OV policy OIDs reportedly provide a stronger
> level of assertion.

Did you anticipate a marker both for the validation method and also for the
version of the BRs used? Both would be needed to pin it down exactly.

Gerv

_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/964fd106/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/964fd106/attachment.p7s>


More information about the Public mailing list