[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies
Tim Hollebeek
tim.hollebeek at digicert.com
Fri Aug 10 20:10:12 MST 2018
I think this might be the best of both worlds, and I thank Wayne for proposing
it.
-Tim
From: Wayne Thayer <wthayer at mozilla.com>
Sent: Thursday, August 9, 2018 1:54 PM
To: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Validation WG List
<validation at cabforum.org>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>
Subject: Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation
Method in certificatePolicies
Redirecting this discussion back to my proposal...
I understand Tim's position to be that CAs should have the choice of encoding
this data as relative OIDs, even if it is difficult for the CA to do that and
causes all sorts of compatibility issues in client software. For certificate
consumers that value size above all else, the benefits may outweigh the risks.
I think this approach builds a footgun into the BRs because the odds are high
that some CAs will get it wrong (encode relative OID as OID --> misissuance)
and some clients will fail to parse data that is properly encoded as a
relative OID.
What are the objections to encoding the validation method number(s) as a
sequence of integers? This at least results in a smaller certificate that is
unlikely to cause compatibility problems. I would, of course, propose a
mechanism for expressing IP Address validation methods uniquely.
On Thu, Aug 9, 2018 at 11:10 AM Ryan Sleevi via Validation
<validation at cabforum.org <mailto:validation at cabforum.org> > wrote:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180811/6649bf82/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180811/6649bf82/attachment.p7s>
More information about the Validation
mailing list