[cabfpub] Ballot 190
Jeremy Rowley
jeremy.rowley at digicert.com
Tue May 2 18:34:22 UTC 2017
Should we include the domain name in that sequence so it’s not ordered?
Such as:
BRComplianceDetails ::= SEQUENCE {
dNSName IA5String,
version OBJECT IDENTIFIER,
validationMethod INTEGER
}
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, May 1, 2017 9:18 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Ballot 190
Well, I was discussing in the broader context :)
For example, you "could" simply indicate
BRComplianceDetails ::= SEQUENCE {
version OBJECT IDENTIFIER,
validationMethod INTEGER
}
As an extension
There are, of course, more efficient ways to structure this data (for example, expandable enum of INTEGER values for version). I just provided this as a quick and dirty example of how you could provide this information within a certificate in a clear and auditable way. It could allow, for example, auditors to ensure that their random sampling methodology appropriately covered all validation methods the CA practiced, without undermining the purpose and value of sampling.
On Mon, May 1, 2017 at 11:13 AM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:
How does this work if the intermediate doesn't contain the anyPolicy OID?
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Gervase
Markham via Public
Sent: Monday, May 1, 2017 9:08 AM
To: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >; CA/Browser Forum Public Discussion List
<public at cabforum.org <mailto:public at cabforum.org> >
Cc: Gervase Markham <gerv at mozilla.org <mailto:gerv at mozilla.org> >
Subject: Re: [cabfpub] Ballot 190
On 01/05/17 16:02, Ryan Sleevi wrote:
> I did. It allows users to make an informed decision of the
> trustworthiness of the information presented in the certificate, much
> like EV policy OIDs and OV policy OIDs reportedly provide a stronger
> level of assertion.
Did you anticipate a marker both for the validation method and also for the
version of the BRs used? Both would be needed to pin it down exactly.
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/964fd106/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/964fd106/attachment.p7s>
More information about the Public
mailing list