[cabfpub] Ballot 184 - SRVnames

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Oct 4 13:41:23 UTC 2017


Jeremy, is it possible to distribute this in a redline or comparison format so people can see the changes - Bylaw 2.3 says the following: “If the Draft Guideline Ballot is proposing a Final Maintenance Guideline, such ballot will include a redline or comparison showing the set of changes from the Final Guideline section(s) intended to become a Final Maintenance Guideline ***”.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Public
Sent: Wednesday, October 4, 2017 1:39 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [EXTERNAL][cabfpub] Ballot 184 - SRVnames


Probably time to finish this ballot off.  This is the last version I have, slightly modified to remove the 822 and other language.  Thoughts?

Ballot 184 - SRVNames

Amend Section 7.1.4.2.1 as follows:

7.1.4.2.1. Subject Alternative Name Extension

Certificate Field: extensions:subjectAltName

Required/Optional: Required

Contents: This extension MUST contain at least one entry where each included entry is one of the following:



7.1.4.2.1.1. dNSName

The subjectAltName extension MAY include one or more dNSName entries provided each entry is either a Fully‐Qualified Domain Name or a Wildcard Domain Name. The CA MUST confirm the Applicant’s ownership or control over each Fully-Qualified Domain Name and Wildcard Domain Name entry in accordance with Section 3.2.2.4. Except where the entry is an Internal Name with onion as the right‐most label in an entry in the subjectAltName Extension or commonName field in accordance with Appendix F of the EV Guidelines, CAs MUST NOT include an Internal Name in a dNSName entry.



7.1.4.2.1.2. iPAddress

The subjectAltName MAY include one or more iPAddress entries provided the CA has confirmed the Applicant’s ownership or control over each IP address entry in accordance with Section 3.2.2.5. CAs MUST NOT include any entry that is a Reserved IP Address.



7.1.4.2.1.4. otherName with SRVName { 1.3.6.1.5.5.7.0.18.8.7 } type-id

The subjectAltName MAY include one or more SRVNames (as defined in RFC4986) as an otherName entry with the SRVName type-id. The CA MUST verify the name portion of the entry in accordance with Section 3.2.2.4.  A CA MUST NOT include a Wildcard Domain Name in any SRVName entry. If a Technically Constrained Subordinate CA Certificate includes a dNSName constraint but does not have a technical constraint for SRVNames, the CA MUST NOT issue certificates containing SRVNames from the Technically Constrained Subordinate CA Certificate. The CA MUST include permitted name subtrees and MAY include excluded name subtrees in all Technically Constrained Subordinate CA Certificate that includes a technical constraint for SRVNames.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171004/40fb56f4/attachment-0003.html>


More information about the Public mailing list