On Mar 30, 2016, at 11:54 AM, Rick Andrews <[email protected]> wrote:
Peter, you've done a lot of work here, and I don't want to appear ungrateful,
but it's difficult to follow some of these changes. In the past, others have
submitted ballots with redlined Word or pdf docs to make it easier to see
exactly what is changing. Would it be possible to do that for this ballot?
-Rick
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Peter Bowen
Sent: Monday, March 28, 2016 5:27 PM
To: CABFPub <[email protected]>
Subject: [cabfpub] Draft Ballot - Baseline Requirements Corrections
All,
Here is the combined set of changes from the corrections thread. It does not
include allowing underscore in FQDNs nor does it allow U-labels in commonName
attributes, as these did not appear to have consensus. It does include a basic
proposed change to the allowable content of the organizationName field of CA
certificates, to match what is allowed in non-CA certificates, as an attempt to
incorporate feedback from discussion on that topic.
I’ve proposed making these immediately effective, as I did not hear people
calling out a need for time to implement.
Thanks,
Peter
=============
Ballot 1XX: Baseline Requirements Corrections
The following motion has been proposed by Peter Bowen of Amazon and endorsed by
_____________ of _____________ and __________ of ____________:
Background:
A number of small corrections and clarifications to the Baseline Requirements
have been identified. These are, in general, changes that reflect the existing
understanding of the Baseline Requirements by the Forum. Due to the
understanding that these primarily represent existing practice, they are
combined for efficiency.
-- MOTION BEGINS --
Effective the date of passage, the following modifications to the Baseline
Requirements are adopted:
In Section 1.6.1:
- In the definition of "Applicant Representative", replace "and agrees to the Certificate Terms of
Use" with "the Terms of Use" and append "or is the CA" at the end of the definition;
- In the definition of "Terms of Use", append "or is the CA" at the end of the
definition;
- In the definition of "Wildcard Certificate", replace "an asterisk (*) in the left‐most
position of any of the Subject Fully‐Qualified Domain Names" with "a Wildcard DN in any of the
Subject Alternative Name dNSNames";
- Insert a new definition: "Wildcard Domain Name (Wildcard DN): A Domain Name formed
by prepending '*.' to a FQDN"
In section 3.2.2.6:
- Replace "wildcard character (*)" with "Wildcard DN";
- Replace "wildcard character occurs in the first label position to the left of" with
"FQDN portion of the Wildcard DN is";
- Replace " a wildcard would fall within the label immediately to the left of a
registry‐controlled† or public suffix," with "so,";
- Replace "“*.example.com” to Example Co." with "“*.example” if the .example gTLD
includes Specification 13 in its registry agreement".
Move the content in section 3.3.1 to section 4.2.1 to become the third
paragraph in 4.2.1 and leave section 3.3.1 blank.
In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960".
In section 5.2.2, insert "CA" immediately before "Private Key".
In section 6.1.2, append "without authorization by the Subscriber" to the end
of the first sentence.
In section 6.1.6, update the last citation to read: "[Source: Sections 5.6.2.3.2 and
5.6.2.3.3, respectively, of NIST SP 56A: Revision 2]"
In section 6.2, in the second sentence, insert "CA" immediately before both instances of
"Private Key".
In section 6.2.5, append "without authorization by the Subordinate CA" to the
end of the sentence.
In section 7, insert the following introduction paragraph:
"All Certificates and Certificate Revocation Lists SHALL comply with RFC 5280 and
RFC 6818. They SHALL additionally comply with RFC3279, RFC4055, RFC5480, RFC5756,
RFC5758 as appropriate based on the Subject Public Key Info and the Signature Algorithm
present in the certificate."
In sections 7.1.2.1(e) and 7.1.2.2(h) change the organizationName line to read:
"- organizationName (OID 2.5.4.10): This field MUST be present and the contents
MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2. The
CA may include information in this field that differs slightly from the verified name,
such as common variations or abbreviations, provided that the CA documents the difference
and any abbreviations used are locally accepted abbreviations; e.g., if the official
record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company
Name”."
Change the title of section 7.1.4.2 to "Subject Information - Subscriber
Certificates".
In section 7.1.4.2.1, replace "Wildcard FQDNs are permitted." with "Wildcard DNs are
permitted as an exception to RFC5280 and X.509".
In section 9.6.1 item 6:
- Insert "are the same entity or" immediately prior to "are Affiliated";
- Remove "and accepted".
In section 9.6.3, replace "agreement to the Terms of Use agreement." with
"acknowledgement of the Terms of Use."
In section 9.6.3 item 2, replace "maintain sole control" with "assure control".
In the following sections, replace all occurrences of "Subscriber or Terms of Use
Agreement" with "Subscriber Agreement or Terms of Use".
- Section 1.6.1, in the definition of "Subscriber"
- Section 4.1.2
- Section 4.9.1.1
- Section 4.9.11
- Section 9.6.1
- Section 9.6.3
-- MOTION ENDS --
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
