[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Wayne Thayer wthayer at mozilla.com
Mon Aug 13 16:06:27 MST 2018


Here's an updated proposal using numbers instead of OIDs to represent the
validation methods:

https://github.com/cabforum/documents/compare/master...wthayer:Ballot226#diff-7f6d14a20e7f3beb696b45e1bf8196f2

Please review and comment.

- Wayne

On Fri, Aug 10, 2018 at 8:10 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> I think this might be the best of both worlds, and I thank Wayne for
> proposing it.
>
>
>
> -Tim
>
>
>
> *From:* Wayne Thayer <wthayer at mozilla.com>
> *Sent:* Thursday, August 9, 2018 1:54 PM
> *To:* Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Validation WG
> List <validation at cabforum.org>
> *Cc:* Tim Hollebeek <tim.hollebeek at digicert.com>
> *Subject:* Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal:
> Validation Method in certificatePolicies
>
>
>
> Redirecting this discussion back to my proposal...
>
>
>
> I understand Tim's position to be that CAs should have the choice of
> encoding this data as relative OIDs, even if it is difficult for the CA to
> do that and causes all sorts of compatibility issues in client software.
> For certificate consumers that value size above all else, the benefits may
> outweigh the risks.
>
>
>
> I think this approach builds a footgun into the BRs because the odds are
> high that some CAs will get it wrong (encode relative OID as OID -->
> misissuance) and some clients will fail to parse data that is properly
> encoded as a relative OID.
>
>
>
> What are the objections to encoding the validation method number(s) as a
> sequence of integers? This at least results in a smaller certificate that
> is unlikely to cause compatibility problems. I would, of course, propose a
> mechanism for expressing IP Address validation methods uniquely.
>
>
>
> On Thu, Aug 9, 2018 at 11:10 AM Ryan Sleevi via Validation <
> validation at cabforum.org> wrote:
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180813/48d3ddfa/attachment.html>


More information about the Validation mailing list