[cabfpub] Ballot 184 - SRVnames

Jeremy Rowley jeremy.rowley at digicert.com
Tue Oct 3 22:38:50 MST 2017


Probably time to finish this ballot off.  This is the last version I have,
slightly modified to remove the 822 and other language.  Thoughts?

Ballot 184 - SRVNames

Amend Section 7.1.4.2.1 as follows:

7.1.4.2.1. Subject Alternative Name Extension

Certificate Field: extensions:subjectAltName

Required/Optional: Required

Contents: This extension MUST contain at least one entry where each included
entry is one of the following:



7.1.4.2.1.1. dNSName

The subjectAltName extension MAY include one or more dNSName entries
provided each entry is either a Fully‐Qualified Domain Name or a Wildcard
Domain Name. The CA MUST confirm the Applicant’s ownership or control over
each Fully-Qualified Domain Name and Wildcard Domain Name entry in
accordance with Section 3.2.2.4. Except where the entry is an Internal Name
with onion as the right‐most label in an entry in the subjectAltName
Extension or commonName field in accordance with Appendix F of the EV
Guidelines, CAs MUST NOT include an Internal Name in a dNSName entry.



7.1.4.2.1.2. iPAddress

The subjectAltName MAY include one or more iPAddress entries provided the CA
has confirmed the Applicant’s ownership or control over each IP address
entry in accordance with Section 3.2.2.5. CAs MUST NOT include any entry
that is a Reserved IP Address.



7.1.4.2.1.4. otherName with SRVName { 1.3.6.1.5.5.7.0.18.8.7 } type-id

The subjectAltName MAY include one or more SRVNames (as defined in RFC4986)
as an otherName entry with the SRVName type-id. The CA MUST verify the name
portion of the entry in accordance with Section 3.2.2.4.  A CA MUST NOT
include a Wildcard Domain Name in any SRVName entry. If a Technically
Constrained Subordinate CA Certificate includes a dNSName constraint but
does not have a technical constraint for SRVNames, the CA MUST NOT issue
certificates containing SRVNames from the Technically Constrained
Subordinate CA Certificate. The CA MUST include permitted name subtrees and
MAY include excluded name subtrees in all Technically Constrained
Subordinate CA Certificate that includes a technical constraint for
SRVNames.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171004/53167e4b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20171004/53167e4b/attachment-0001.p7s>


More information about the Public mailing list