[cabf_validation] Clarification of BRs to address "default deny" implications

Doug Beattie doug.beattie at globalsign.com
Wed Feb 19 00:49:39 MST 2020


This is my attempt to list the important sections of the BRs and get comments on where "default deny" is not clear or will break things.  This is one way to review the BRs, perhaps not the best, but this will get the discussions moving to address sections of the BRs which are not 100% clear:

https://docs.google.com/document/d/1i3CvNbd6mHI9KYYith94C7RQ-ny6ibuo7x7j7m9hSM4/edit



Here is one obvious example, 4.9.10:

     OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019.

If we were to take a "default deny" view of this, then POST is prohibited.  If "default deny is the only reasonable way to interpret the BRs", then we need to fix this statement and others like it.

During the VWG meeting yesterday there was a suggestion to review the lists to be sure that they are clearly either "the" list, or if it's a sample of the list (others permitted).  If anyone wants to review this and supply their comments, then that would be great.  We can collect up the recommended changes from this document into a clarification ballot, or ballots.

Doug





-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 26914 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20200219/9200e1bb/attachment-0001.bin>


More information about the Validation mailing list