[Servercert-wg] Discussion Begins: Ballot SC24: Fall Cleanup

Ryan Sleevi sleevi at google.com
Thu Oct 24 12:49:05 MST 2019

On Thu, Oct 24, 2019 at 3:36 PM Wayne Thayer <wthayer at mozilla.com> wrote:

> On Thu, Oct 24, 2019 at 12:12 PM Ryan Sleevi <sleevi at google.com> wrote:
>> In writing this up, I realized the potential confusion that can result
>> from Tim's wording here. I attempted a slight adjustment in
>> https://github.com/sleevi/cabforum-docs/compare/2019-07-Cleanups...sleevi:2019-07-TimsConcerns -
>> again, not happy with it, but trying to make progress and appease the
>> concerns. If that looks right to folks, I'll merge it.
> I'm not sure I understand the loophole, but this looks good to me except
> that the last sentence drops "SHA-2...". Was that intentional? If not, I'd
> revert it.

Was trying to cover part of the loophole; that is, an interpretation that
says "The BRs only say SHA-2 certificates shouldn't chain up to SHA-1
sub-CAs. Ergo, it's fine for SHA-1 certificates to chain up to SHA-1 sub
CAs, ergo, it's fine to issue SHA-1 certificates off SHA-1 subCAs and still
be BR compliant".

It's the same as the existing requirement; that is, because the section
states "All Subscriber Certificates MUST be SHA-2", it naturally concludes
that "All SHA-2 Subscriber Certificates" == "All Subscriber Certificates"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/d2258cf4/attachment.html>

More information about the Servercert-wg mailing list