[cabf_validation] Cert Profile spec: question about the outline/ToC

Aaron Gable aaron at letsencrypt.org
Mon Aug 2 16:36:00 UTC 2021 

(Ugh, apologies for the double message; threading was broken between the
original message and Ryan's reply and I did not see his reply before
sending my own.)

On Mon, Aug 2, 2021 at 9:33 AM Aaron Gable via Validation <
validation at cabforum.org> wrote:

> Unfortunately, RFC 3647 Section 4.7
> <https://datatracker.ietf.org/doc/html/rfc3647#section-4.7> suggests that
> Section 7.1 be the Certificate Profile, 7.2 be the CRL Profile, and 7.3 be
> the OCSP Profile. Of course, 3647 is informational, not normative, and so
> the BRs are free to depart from it as appropriate, but this change would be
> the first such departure.
>
> Aaron
>
> On Mon, Aug 2, 2021 at 8:35 AM Doug Beattie via Validation <
> validation at cabforum.org> wrote:
>
>> Hi Ryan,
>>
>>
>>
>> When I was reviewing the latest spec,
>> https://github.com/sleevi/cabforum-docs/pull/36/files,  I was struck by
>> the Table of Contents that I built in Word having 40 pages in section
>> 7.1.2.  There is no heading for the various types of cert profiles because
>> it’s all buried in “7.1.2 Certificate Content and Extensions”
>>
>>
>>
>> Would it be possible/logical to re-chunk that section to avoid such long
>> numbered headers and to bring some of the important items into a higher
>> level and into the ToC?  It would be more obvious about where certain
>> sections are located and provide a better grouping of data, imo
>>
>>
>>
>> This is just a suggestion, but could we consider an organization similar
>> to this?   Apologies if this has been discussed and resolved previously.
>>
>>
>> 7         CERTIFICATE, CRL, AND OCSP PROFILES7.1        CA Certificates
>> 7.1.1        Root CA Certificate Profile (was 7.1.2.1)7.1.2        Cross-Certified
>> Subordinate CA Certificate Profile (was 7.1.2.2)7.1.3        Technically
>> Constrained Non-TLS Subordinate CA Certificate Profile (was 7.1.2.3)7.1.4
>> Technically Constrained TLS Subordinate CA Certificate Profile (was
>> 7.1.2.4)7.1.5        TLS Subordinate CA Certificate Profile (was 7.1.2.5)
>> 7.1.6        Common CA Fields (was 7.1.2.8)7.2        Leaf Certificates
>> 7.2.1        Subscriber (Server) Certificate Profile (was 7.1.2.6)7.2.2
>> OCSP Responder Certificate Profile (was 7.1.2.7)7.2.3        Infra
>> Certificate Profile?7.2.4        Common <leaf> Certificate Fields (was
>> 7.1.2.9)7.3        All Certificates (was 7.1.2.4, but this is probably a
>> typo since and should be 7.1.2.10 according to the current spec).7.3.1
>> Application of RFC 5280 (was 7.1.2.5 – probably should have been 7.1.2.11)
>> 7.3.2        Algorithm object identifiers (was 7.1.3)7.3.3        Name
>> Forms ( was 7.1.4)7.3.4        Certificate policy object identifier (was
>> 7.1.6)7.3.5        Usage of Policy Constraints extension (was 7.1.7)7.3.6
>> Policy qualifiers syntax and semantics (was 7.1.8)7.3.7        Processing
>> semantics for the critical Certificate Policies extension (was 7.1.9) –
>> maybe this should be 7.4 and not under “all Certificates”7.4        CRL
>> Profile (was 7.2)7.5        OCSP Profile (was 7.3)
>>
>>
>>
>>
>> _______________________________________________
>> Validation mailing list
>> Validation at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/validation
>>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210802/0b095325/attachment.html>

More information about the Validation mailing list