[cabfpub] Draft Ballot - Baseline Requirements Corrections
rbarnes at mozilla.com
Wed Mar 30 12:19:16 MST 2016
This also seems like it would be a good application for the CABF Github
On Wed, Mar 30, 2016 at 2:54 PM, Rick Andrews <Rick_Andrews at symantec.com>
> Peter, you've done a lot of work here, and I don't want to appear
> ungrateful, but it's difficult to follow some of these changes. In the
> past, others have submitted ballots with redlined Word or pdf docs to make
> it easier to see exactly what is changing. Would it be possible to do that
> for this ballot?
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Peter Bowen
> Sent: Monday, March 28, 2016 5:27 PM
> To: CABFPub <public at cabforum.org>
> Subject: [cabfpub] Draft Ballot - Baseline Requirements Corrections
> Here is the combined set of changes from the corrections thread. It does
> not include allowing underscore in FQDNs nor does it allow U-labels in
> commonName attributes, as these did not appear to have consensus. It does
> include a basic proposed change to the allowable content of the
> organizationName field of CA certificates, to match what is allowed in
> non-CA certificates, as an attempt to incorporate feedback from discussion
> on that topic.
> I’ve proposed making these immediately effective, as I did not hear people
> calling out a need for time to implement.
> Ballot 1XX: Baseline Requirements Corrections
> The following motion has been proposed by Peter Bowen of Amazon and
> endorsed by _____________ of _____________ and __________ of ____________:
> A number of small corrections and clarifications to the Baseline
> Requirements have been identified. These are, in general, changes that
> reflect the existing understanding of the Baseline Requirements by the
> Forum. Due to the understanding that these primarily represent existing
> practice, they are combined for efficiency.
> -- MOTION BEGINS --
> Effective the date of passage, the following modifications to the Baseline
> Requirements are adopted:
> In Section 1.6.1:
> - In the definition of "Applicant Representative", replace "and agrees to
> CA" at the end of the definition;
> the definition;
> - In the definition of "Wildcard Certificate", replace "an asterisk (*) in
> the left‐most position of any of the Subject Fully‐Qualified Domain Names"
> with "a Wildcard DN in any of the Subject Alternative Name dNSNames";
> - Insert a new definition: "Wildcard Domain Name (Wildcard DN): A Domain
> Name formed by prepending '*.' to a FQDN"
> In section 126.96.36.199:
> - Replace "wildcard character (*)" with "Wildcard DN";
> - Replace "wildcard character occurs in the first label position to the
> left of" with "FQDN portion of the Wildcard DN is";
> - Replace " a wildcard would fall within the label immediately to the left
> of a registry‐controlled† or public suffix," with "so,";
> - Replace "“*.example.com” to Example Co." with "“*.example” if the
> .example gTLD includes Specification 13 in its registry agreement".
> Move the content in section 3.3.1 to section 4.2.1 to become the third
> paragraph in 4.2.1 and leave section 3.3.1 blank.
> In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960".
> In section 5.2.2, insert "CA" immediately before "Private Key".
> In section 6.1.2, append "without authorization by the Subscriber" to the
> end of the first sentence.
> In section 6.1.6, update the last citation to read: "[Source: Sections
> 188.8.131.52.2 and 184.108.40.206.3, respectively, of NIST SP 56A: Revision 2]"
> In section 6.2, in the second sentence, insert "CA" immediately before
> both instances of "Private Key".
> In section 6.2.5, append "without authorization by the Subordinate CA" to
> the end of the sentence.
> In section 7, insert the following introduction paragraph:
> "All Certificates and Certificate Revocation Lists SHALL comply with RFC
> 5280 and RFC 6818. They SHALL additionally comply with RFC3279, RFC4055,
> RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key
> Info and the Signature Algorithm present in the certificate."
> In sections 220.127.116.11(e) and 18.104.22.168(h) change the organizationName line to
> "- organizationName (OID 22.214.171.124): This field MUST be present and the
> contents MUST contain either the Subject CA’s name or DBA as verified under
> Section 126.96.36.199. The CA may include information in this field that differs
> slightly from the verified name, such as common variations or
> abbreviations, provided that the CA documents the difference and any
> abbreviations used are locally accepted abbreviations; e.g., if the
> official record shows “Company Name Incorporated”, the CA MAY use “Company
> Name Inc.” or “Company Name”."
> Change the title of section 188.8.131.52 to "Subject Information - Subscriber
> In section 184.108.40.206.1, replace "Wildcard FQDNs are permitted." with
> "Wildcard DNs are permitted as an exception to RFC5280 and X.509".
> In section 9.6.1 item 6:
> - Insert "are the same entity or" immediately prior to "are Affiliated";
> - Remove "and accepted".
> In section 9.6.3 item 2, replace "maintain sole control" with "assure
> In the following sections, replace all occurrences of "Subscriber or Terms
> - Section 1.6.1, in the definition of "Subscriber"
> - Section 4.1.2
> - Section 220.127.116.11
> - Section 4.9.11
> - Section 9.6.1
> - Section 9.6.3
> -- MOTION ENDS --
> Public mailing list
> Public at cabforum.org
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public