[Servercert-wg] Draft Ballot for Cleanups
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Oct 18 02:30:52 MST 2019
On 18/10/2019 3:50 π.μ., Ryan Sleevi via Servercert-wg wrote:
>
>
> On Thu, Oct 17, 2019 at 8:18 PM Jacob Hoffman-Andrews via
> Servercert-wg <servercert-wg at cabforum.org
> <mailto:servercert-wg at cabforum.org>> wrote:
>
> On Thu, Oct 17, 2019 at 5:14 PM Ryan Sleevi via Servercert-wg
> <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
> wrote:
>
> On Thu, Oct 17, 2019 at 7:59 PM Jacob Hoffman-Andrews via
> Servercert-wg <servercert-wg at cabforum.org
> <mailto:servercert-wg at cabforum.org>> wrote:
>
> I'm working my way through the diffs, and overall
> this looks great. Thanks for putting it together. I do
> notice there's one important Effective Date that's in the
> past but you haven't removed: 1 July 2012, the overall
> effective date of the BRs. Is there any reason not to
> remove this one as well?
>
>
> Nope! No strong view.
>
>
> I'll work on a PR.
>
>
> Thanks. I went and merged
> https://github.com/sleevi/cabforum-docs/commit/4ed95dc591a228cc5a1ec27842af1a36db77b3ed
>
> In the process, I spotted a few more areas of dates that have now
> passed from when we started this whole process. If someone could spot
> check https://github.com/sleevi/cabforum-docs/pull/6/files and make
> sure the requirements have stayed the same, that would be great.
>
> Of particular interest are the changes to 4.2.1; while not consistent
> with Ballot 197, it's possible that the provisions might be read that
> "If the CA obtained the data prior to 1 March 2018" rather than "If
> the issuance is prior to 1 March 2018, and the CA obtained the
> data...". The latter interpretation is what is spelled out in 197, but
> the former interpretation can be read with the way things are worded.
>
> If Wayne, Jacob, or someone interested in this section could give a
> spot check (as well as the other sections that have since passed, such
> as underscores or CP/CPS changes), that'd be great.
This is probably something minor but I think there are Subordinate CA
Certificates that are used as Trust Anchors in various Root Programs.
I am also not sure what the goals for Test Certificates really are. Is
the intent for Test Certificates to never (past, present and future)
chain to a CA Certificate that can ever be used as a Trust Anchor? ANY
Trust Anchor? Trust Anchors used for Publicly-Trusted Certificates (as
defined in section 1.6.1)?
If the intent is to prohibit "Test Certificates" to ever be considered
"Publicly-Trusted", then it's probably best to change:
"**Test Certificate**: A Certificate which is issued under a CA where
there are no certificate paths/chains to a root certificate subject to
these Requirements."
to:
"**Test Certificate**: A Certificate which is issued under a CA where
there are no certificate paths/chains to a CA Certificate, subject to
these Requirements. A Test Certificate must never be considered a
Publicly-Trusted Certificate."
I also find the first paragraph of 1.1 problematic "The requirements are
not mandatory for Certification Authorities unless and until they become
adopted and enforced by relying-party Application Software Suppliers". I
don't think this meets the current expectations, but that's an issue to
discuss separately.
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191018/fca4dc67/attachment-0001.html>
More information about the Servercert-wg
mailing list