Skip to main content

Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 6818

Yes

(Sean Turner)

No Objection

(Adrian Farrel)
(Benoît Claise)
(Brian Haberman)
(Gonzalo Camarillo)
(Martin Stiemerling)
(Ralph Droms)
(Robert Sparks)
(Ron Bonica)
(Stewart Bryant)
(Wesley Eddy)

Recuse


Note: This ballot was opened for revision 10 and is now closed.

(Barry Leiba; former steering group member) Yes

Yes (2012-10-19 for -10)
I'm glad to see these clarifications, and I'm happy to ballot "yes".  A few notes, and one question I'd appreciate an answer to, if you don't mind:

Notes:

I would have appreciated the use of proper change bars on the paragraphs.  When one sentence in a paragraph is changed, it's hard to pick out what changed -- I wind up having to read the old and new paragraphs back and forth, one sentence or one phrase at a time.  Harder than it needs to be, and especially bad when there's gratuitous moving of words from one line to another (as in Section 4).  That made this difficult to review.

-- Section 9 --
The RFC Editor will likely change "versions 00 through 04" to "earlier versions"; they don't like to refer to specific versions of drafts like that.  If you really don't want that change, you might have to fight them on it.

Question:

-- Section 3 --
This changes "MAY use IA5String" to "MUST NOT" use IA5String.  This makes some formerly conforming CAs non-conforming... what is the effect of this in actual practice?  Are there known CAs that are using IA5String?

(Sean Turner; former steering group member) Yes

Yes (for -10)

                            

(Stephen Farrell; former steering group member) Yes

Yes (2012-10-17 for -10)
Glad to see we've finally got this done. Thanks to all involved.
All of the updates seem correct and appropriate to me. 

While there might be other things  about 5280 that one could 
consider wanting to update, at this point there would likely be 
sufficient difficulty in achieving rough consensus on any such 
addition that its simply not worth the effort.

(Adrian Farrel; former steering group member) No Objection

No Objection (for -10)

                            

(Benoît Claise; former steering group member) No Objection

No Objection (for -10)

                            

(Brian Haberman; former steering group member) No Objection

No Objection (for -10)

                            

(Gonzalo Camarillo; former steering group member) No Objection

No Objection (for -10)

                            

(Martin Stiemerling; former steering group member) No Objection

No Objection (for -10)

                            

(Pete Resnick; former steering group member) No Objection

No Objection (2012-10-25 for -10)
Section 3:

     Conforming CAs SHOULD use the
     UTF8String encoding for explicitText, but MAY use VisibleString or
     BMPString.

This is (as was 5280) worded oddly. I can take this to either mean, "UTF8String is the requirement. However, there are circumstances under which you might violate this requirement, in which case VisibleString or BMPString are the only possible alternatives", or "Any one of UTF8String, VisibleString, or BMPString are acceptable, but UTF8String is preferred." The combination of SHOULD and MAY makes this ambiguous. I think you should fix it.

(Ralph Droms; former steering group member) No Objection

No Objection (for -10)

                            

(Robert Sparks; former steering group member) No Objection

No Objection (for -10)

                            

(Ron Bonica; former steering group member) No Objection

No Objection (for -10)

                            

(Stewart Bryant; former steering group member) No Objection

No Objection (for -10)

                            

(Wesley Eddy; former steering group member) No Objection

No Objection (for -10)

                            

(Russ Housley; former steering group member) Recuse

Recuse (2012-10-19 for -10)
  Please consider the Gen-ART Review comments from Vijay Gurbani on
  16-Oct-2012:

  - S1: The fourth paragraph should be put right underneath the second
  paragraph since the former continues discussion started by the latter.

  - S1: Last paragraph -- it will be good to provide some documentation
  regarding the "observed attacks".  Especially a link to relevant
  papers of archival quality discussing the attacks will be helpful.  If
  the attacks are related to the Diginotar and Comodo break-ins, then
  there is an archival paper [1] at a reasonably high level from IEEE
  that discusses this and provides a starting point for those who want
  to learn more.

  [1] Neal Leavitt, "Internet security under attack: The undermining of
      digital certificates," pp. 17-20, IEEE Computer, December 2011.