Ryan does, in my opinion, make valid criticism here. It would seem necessary, for this exercise to be truly worthwhile, to be in the position where the mandated inclusion of these OIDs determined which revision of the BRs a certificate was actually issued under.
So, why not modify the BRs so that section 9.3.1 also encodes the revision of the BRs in the OID? This is not a proliferation of OIDs and is easily handled programmatically. For example, to specify issuance under a hypothetical 1.1.9: 2.23.140.1.2.1.1.1.9 2.23.140.1.2.2.1.1.9 Such a change would also by nature signify that it was issued at the point where such inclusion was mandated and not optional. Some of the private OIDs that CAs already include that become unnecessary because of the change could be deprecated and removed over time. Nick _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
