> On Feb 24, 2016, at 10:56 AM, Jeremy Rowley <[email protected]>
> wrote:
>
> I’ve been playing around with Peter Bowen’s certlint (an excellent tool) and,
> looking at the cert universe as a whole, there are some noticeable issues
> with the BRs and RFC 5280 that I though merited a public CAB Forum
> discussion. Some of this is likely me not knowing the entire history of
> 5280, so I appreciated any explanation. If there’s exceptions we would like
> to make to RFC5280, we should probably also push a bis with IETF at the same
> time.
>
> Here’s what I’m noticing are common issues:
> 1) Org names, common names, and address fields are limited to 64
> characters. Very few international companies can comply with this
> restriction. It’s even worse if you are converting an IDN to a printable
> string. I don’t think any browsers limit this to 64 characters? Is there a
> strong objection to permitting longer strings in these fields?
> 2) keyAgreement isn’t specifically prohibited in the BRs or 5280.
> However, keyAgreement should no longer be used in ECC certs because of
> security issues as explained by Ryan Sleevi in previous emails . We should
> update the BRs to prohibit keyAgreement.
I used RFCs 5280, 6818, 3279, 5480, and 5758. Several of these specify what
key usages are acceptable with which public key types. Are you suggesting that
the other PKIX RFCs are not what CAs should be following?
> 3) Years ago, we discussed that 2047 bit certs were equivalent to 2048
> bit certs (although the discussion may have occurred solely on the Mozilla
> mailing list). We should codify this exception.
> 4) Why is teletext string not permissible on a lot of these fields? I
> also don’t understand the weird requirement to use printablestring over UTRF8
> for some fields. Specifically, requiring a printable string for
> subject:serialNumber could cause issues with the EV Guidelines if a country
> uses an IDN as part of their registration number.
TeletexString (along with its friends VideotexString, GraphicString, and
GeneralString) are almost impossible to get right. They all allow ISO/IEC 2022
escape sequences and require escape sequences to use characters outside the
default character. TeletexString specifically defines the default graphics
(G0) character set as T.61-7bit (102) rather than ASCII (6), which leads to
interesting surprises. For example {, }, and ^ are not allowed.
Thanks,
Peter_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
