All, Here is the combined set of changes from the corrections thread. It does not include allowing underscore in FQDNs nor does it allow U-labels in commonName attributes, as these did not appear to have consensus. It does include a basic proposed change to the allowable content of the organizationName field of CA certificates, to match what is allowed in non-CA certificates, as an attempt to incorporate feedback from discussion on that topic.
I’ve proposed making these immediately effective, as I did not hear people calling out a need for time to implement. Thanks, Peter ============= Ballot 1XX: Baseline Requirements Corrections The following motion has been proposed by Peter Bowen of Amazon and endorsed by _____________ of _____________ and __________ of ____________: Background: A number of small corrections and clarifications to the Baseline Requirements have been identified. These are, in general, changes that reflect the existing understanding of the Baseline Requirements by the Forum. Due to the understanding that these primarily represent existing practice, they are combined for efficiency. -- MOTION BEGINS -- Effective the date of passage, the following modifications to the Baseline Requirements are adopted: In Section 1.6.1: - In the definition of "Applicant Representative", replace "and agrees to the Certificate Terms of Use" with "the Terms of Use" and append "or is the CA" at the end of the definition; - In the definition of "Terms of Use", append "or is the CA" at the end of the definition; - In the definition of "Wildcard Certificate", replace "an asterisk (*) in the left‐most position of any of the Subject Fully‐Qualified Domain Names" with "a Wildcard DN in any of the Subject Alternative Name dNSNames"; - Insert a new definition: "Wildcard Domain Name (Wildcard DN): A Domain Name formed by prepending '*.' to a FQDN" In section 3.2.2.6: - Replace "wildcard character (*)" with "Wildcard DN"; - Replace "wildcard character occurs in the first label position to the left of" with "FQDN portion of the Wildcard DN is"; - Replace " a wildcard would fall within the label immediately to the left of a registry‐controlled† or public suffix," with "so,"; - Replace "“*.example.com” to Example Co." with "“*.example” if the .example gTLD includes Specification 13 in its registry agreement". Move the content in section 3.3.1 to section 4.2.1 to become the third paragraph in 4.2.1 and leave section 3.3.1 blank. In section 4.9.9, replace all occurrences of "RFC2560" with "RFC6960". In section 5.2.2, insert "CA" immediately before "Private Key". In section 6.1.2, append "without authorization by the Subscriber" to the end of the first sentence. In section 6.1.6, update the last citation to read: "[Source: Sections 5.6.2.3.2 and 5.6.2.3.3, respectively, of NIST SP 56A: Revision 2]" In section 6.2, in the second sentence, insert "CA" immediately before both instances of "Private Key". In section 6.2.5, append "without authorization by the Subordinate CA" to the end of the sentence. In section 7, insert the following introduction paragraph: "All Certificates and Certificate Revocation Lists SHALL comply with RFC 5280 and RFC 6818. They SHALL additionally comply with RFC3279, RFC4055, RFC5480, RFC5756, RFC5758 as appropriate based on the Subject Public Key Info and the Signature Algorithm present in the certificate." In sections 7.1.2.1(e) and 7.1.2.2(h) change the organizationName line to read: "- organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2. The CA may include information in this field that differs slightly from the verified name, such as common variations or abbreviations, provided that the CA documents the difference and any abbreviations used are locally accepted abbreviations; e.g., if the official record shows “Company Name Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”." Change the title of section 7.1.4.2 to "Subject Information - Subscriber Certificates". In section 7.1.4.2.1, replace "Wildcard FQDNs are permitted." with "Wildcard DNs are permitted as an exception to RFC5280 and X.509". In section 9.6.1 item 6: - Insert "are the same entity or" immediately prior to "are Affiliated"; - Remove "and accepted". In section 9.6.3, replace "agreement to the Terms of Use agreement." with "acknowledgement of the Terms of Use." In section 9.6.3 item 2, replace "maintain sole control" with "assure control". In the following sections, replace all occurrences of "Subscriber or Terms of Use Agreement" with "Subscriber Agreement or Terms of Use". - Section 1.6.1, in the definition of "Subscriber" - Section 4.1.2 - Section 4.9.1.1 - Section 4.9.11 - Section 9.6.1 - Section 9.6.3 -- MOTION ENDS -- _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
