Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 6818
Yes
No Objection
Recuse
Note: This ballot was opened for revision 10 and is now closed.
(Barry Leiba; former steering group member) Yes
I'm glad to see these clarifications, and I'm happy to ballot "yes". A few notes, and one question I'd appreciate an answer to, if you don't mind: Notes: I would have appreciated the use of proper change bars on the paragraphs. When one sentence in a paragraph is changed, it's hard to pick out what changed -- I wind up having to read the old and new paragraphs back and forth, one sentence or one phrase at a time. Harder than it needs to be, and especially bad when there's gratuitous moving of words from one line to another (as in Section 4). That made this difficult to review. -- Section 9 -- The RFC Editor will likely change "versions 00 through 04" to "earlier versions"; they don't like to refer to specific versions of drafts like that. If you really don't want that change, you might have to fight them on it. Question: -- Section 3 -- This changes "MAY use IA5String" to "MUST NOT" use IA5String. This makes some formerly conforming CAs non-conforming... what is the effect of this in actual practice? Are there known CAs that are using IA5String?
(Sean Turner; former steering group member) Yes
(Stephen Farrell; former steering group member) Yes
Glad to see we've finally got this done. Thanks to all involved. All of the updates seem correct and appropriate to me. While there might be other things about 5280 that one could consider wanting to update, at this point there would likely be sufficient difficulty in achieving rough consensus on any such addition that its simply not worth the effort.
(Adrian Farrel; former steering group member) No Objection
(Benoît Claise; former steering group member) No Objection
(Brian Haberman; former steering group member) No Objection
(Gonzalo Camarillo; former steering group member) No Objection
(Martin Stiemerling; former steering group member) No Objection
(Pete Resnick; former steering group member) No Objection
Section 3:
Conforming CAs SHOULD use the
UTF8String encoding for explicitText, but MAY use VisibleString or
BMPString.
This is (as was 5280) worded oddly. I can take this to either mean, "UTF8String is the requirement. However, there are circumstances under which you might violate this requirement, in which case VisibleString or BMPString are the only possible alternatives", or "Any one of UTF8String, VisibleString, or BMPString are acceptable, but UTF8String is preferred." The combination of SHOULD and MAY makes this ambiguous. I think you should fix it.
(Ralph Droms; former steering group member) No Objection
(Robert Sparks; former steering group member) No Objection
(Ron Bonica; former steering group member) No Objection
(Stewart Bryant; former steering group member) No Objection
(Wesley Eddy; former steering group member) No Objection
(Russ Housley; former steering group member) Recuse
Please consider the Gen-ART Review comments from Vijay Gurbani on
16-Oct-2012:
- S1: The fourth paragraph should be put right underneath the second
paragraph since the former continues discussion started by the latter.
- S1: Last paragraph -- it will be good to provide some documentation
regarding the "observed attacks". Especially a link to relevant
papers of archival quality discussing the attacks will be helpful. If
the attacks are related to the Diginotar and Comodo break-ins, then
there is an archival paper [1] at a reasonably high level from IEEE
that discusses this and provides a starting point for those who want
to learn more.
[1] Neal Leavitt, "Internet security under attack: The undermining of
digital certificates," pp. 17-20, IEEE Computer, December 2011.