Good questions Jeremy.
I hate to ask, but is rfc 5019 another RFC that must be met in order to be BR
compliant, and will any errors there be warnings or full audit findings? There
are a lot of rules about cache values which we might not be all compliant with.
https://certificate.revocationcheck.com/
From: [email protected] [mailto:[email protected]] On
Behalf Of Jeremy Rowley
Sent: Wednesday, February 24, 2016 1:56 PM
To: [email protected]
Subject: [cabfpub] RFC5280
I've been playing around with Peter Bowen's certlint (an excellent tool) and,
looking at the cert universe as a whole, there are some noticeable issues with
the BRs and RFC 5280 that I though merited a public CAB Forum discussion. Some
of this is likely me not knowing the entire history of 5280, so I appreciated
any explanation. If there's exceptions we would like to make to RFC5280, we
should probably also push a bis with IETF at the same time.
Here's what I'm noticing are common issues:
1) Org names, common names, and address fields are limited to 64
characters. Very few international companies can comply with this restriction.
It's even worse if you are converting an IDN to a printable string. I don't
think any browsers limit this to 64 characters? Is there a strong objection to
permitting longer strings in these fields?
2) keyAgreement isn't specifically prohibited in the BRs or 5280. However,
keyAgreement should no longer be used in ECC certs because of security issues
as explained by Ryan Sleevi in previous emails . We should update the BRs to
prohibit keyAgreement.
3) Years ago, we discussed that 2047 bit certs were equivalent to 2048 bit
certs (although the discussion may have occurred solely on the Mozilla mailing
list). We should codify this exception.
4) Why is teletext string not permissible on a lot of these fields? I also
don't understand the weird requirement to use printablestring over UTRF8 for
some fields. Specifically, requiring a printable string for
subject:serialNumber could cause issues with the EV Guidelines if a country
uses an IDN as part of their registration number.
Thoughts?
Jeremy
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
