[cabf_validation] 5280 limitations

Ben Wilson ben.wilson at digicert.com
Fri Mar 31 12:41:40 MST 2017 

Here is a PDF with redlining to show the potential changes.

 

Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678



 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Ben
Wilson via Validation
Sent: Friday, March 31, 2017 1:13 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Ben Wilson <ben.wilson at digicert.com>
Subject: Re: [cabf_validation] 5280 limitations

 

All,

I'm working on a draft ballot to remove the 64-character limitation (and to
allow underscores in FQDNs).  One question that came up is how to handle
Section 9.2.1 of the EV Guidelines (Subject Organization Name Field), which
states, "If the combination of names or the organization name by itself
exceeds 64 characters, the CA MAY abbreviate parts of the organization name,
and/or omit non-material words in the organization name in such a way that
the text in this field does not exceed the 64-character limit; provided that
the CA checks this field in accordance with section 11.12.1 and a Relying
Party will not be misled into thinking that they are dealing with a
different organization. In cases where this is not possible, the CA MUST NOT
issue the EV Certificate."

Do I focus just on edits to the Baseline Requirements and let someone else
raise this issue with potential EV Guidelines inconsistency?  Otherwise, I
might suggest replacing the entirety of the text above with something simple
like, "This field MAY contain up to 256 characters."

 

Thanks,

 

Ben

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim
Hollebeek via Validation
Sent: Tuesday, March 21, 2017 8:49 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Tim Hollebeek <THollebeek at trustwave.com
<mailto:THollebeek at trustwave.com> >
Subject: Re: [cabf_validation] 5280 limitations

 

I hate the arbitrary 64 character limit and would love to see PKIs move away
from it.  It has bitten me in the rear so many times I've lost count.

 

-Tim

 

From: Validation <validation-bounces at cabforum.org
<mailto:validation-bounces at cabforum.org> > on behalf of
"validation at cabforum.org <mailto:validation at cabforum.org> "
<validation at cabforum.org <mailto:validation at cabforum.org> >
Reply-To: "validation at cabforum.org <mailto:validation at cabforum.org> "
<validation at cabforum.org <mailto:validation at cabforum.org> >
Date: Tuesday, March 21, 2017 at 10:28 AM
To: "validation at cabforum.org <mailto:validation at cabforum.org> "
<validation at cabforum.org <mailto:validation at cabforum.org> >
Cc: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com> >
Subject: Re: [cabf_validation] 5280 limitations

 

No issues with browsers.   

 

I would be happy to bring this up today.

 

On Mar 21, 2017, at 7:25 AM, Bruce Morton via Validation
<validation at cabforum.org <mailto:validation at cabforum.org> > wrote:

 

I would be concerned with failures with the browsers. Are there any current
issues?

 

Thanks, Bruce.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Tuesday, March 21, 2017 10:18 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Subject: [cabf_validation] 5280 limitations

 

Is there interest in creating an exception to 5280 for the following?

 

1.	Use of underscore characters in host names
2.	Limitation on subject fields to 64 characters

 

Jeremy

 

_______________________________________________
Validation mailing list
Validation at cabforum.org <mailto:Validation at cabforum.org> 
https://cabforum.org/mailman/listinfo/validation
<https://scanmail.trustwave.com/?c=4062&d=prjR2N9IZ9Sxv8QhUeomOtBEhsJUEkRM_W
1HRhMTDQ&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fvalidatio
n> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/4103de2d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6109 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/4103de2d/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RFC5280-related-amendment.pdf
Type: application/pdf
Size: 71119 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/4103de2d/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170331/4103de2d/attachment-0001.bin>

More information about the Validation mailing list