[Servercert-wg] Omitting required fields from CA Certificates

Ryan Sleevi sleevi at google.com
Tue Oct 22 14:56:52 MST 2019


To make this clearer, and in line with
https://cabforum.org/pipermail/servercert-wg/2019-October/001160.html , why
don't we separate out the GlobalSign issue from these others?

This comes back to
https://cabforum.org/pipermail/servercert-wg/2019-October/001158.html as
the scenario. We can keep the original thread focused on #1, which is much
more relevant, while keeping this thread focused on #2. #3 isn't really an
issue - it's only about #2 here.

On Tue, Oct 22, 2019 at 5:36 PM Ryan Sleevi <sleevi at google.com> wrote:

> I do think that's conflating things a little bit, although I can
> understand the appeal.
>
> https://cabforum.org/pipermail/servercert-wg/2019-October/001178.html
> discussed paths forward for the inclusion of additional fields, including
> paths forward to resolve the matter for cross-certificates, as well as to
> manage expectations about "Default Deny". As far as I can tell, this
> relevant to the CAs you remarked on, and the larger list originally
> provided (in
> https://cabforum.org/pipermail/servercert-wg/2019-October/001154.html ).
>
> However, to the point of GlobalSign, it was issuing certificates omitting
> fields required since Ballot 199. That does seem a difference in kind and
> substance, doesn't it? The argument advanced here is simply that "We
> thought there were no rules for Cross Certificates" (as neither the Root CA
> nor Subordinate CA rules were seen as applying), and that's... harder to
> reconcile and, as mentioned, systemically problematic.
>
> Unlike the aforementioned cases, there's not a reasonable path forward for
> that, short of saying they're no longer required or not required in some
> situations - which ultimately means there's no path to removal. But
> https://cabforum.org/pipermail/servercert-wg/2019-October/001178.html is
> still just as relevant as a path forward: by making sure we focus on the
> systemic problem, and find solutions for it first and foremost.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191022/1e3338ed/attachment-0001.html>


More information about the Servercert-wg mailing list