Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 6818

Note: This ballot was opened for revision 10 and is now closed.

(Stephen Farrell) Yes

Comment (2012-10-17 for -10)
No email
send info
Glad to see we've finally got this done. Thanks to all involved.
All of the updates seem correct and appropriate to me. 

While there might be other things  about 5280 that one could 
consider wanting to update, at this point there would likely be 
sufficient difficulty in achieving rough consensus on any such 
addition that its simply not worth the effort.

(Barry Leiba) Yes

Comment (2012-10-19 for -10)
No email
send info
I'm glad to see these clarifications, and I'm happy to ballot "yes".  A few notes, and one question I'd appreciate an answer to, if you don't mind:

Notes:

I would have appreciated the use of proper change bars on the paragraphs.  When one sentence in a paragraph is changed, it's hard to pick out what changed -- I wind up having to read the old and new paragraphs back and forth, one sentence or one phrase at a time.  Harder than it needs to be, and especially bad when there's gratuitous moving of words from one line to another (as in Section 4).  That made this difficult to review.

-- Section 9 --
The RFC Editor will likely change "versions 00 through 04" to "earlier versions"; they don't like to refer to specific versions of drafts like that.  If you really don't want that change, you might have to fight them on it.

Question:

-- Section 3 --
This changes "MAY use IA5String" to "MUST NOT" use IA5String.  This makes some formerly conforming CAs non-conforming... what is the effect of this in actual practice?  Are there known CAs that are using IA5String?

(Sean Turner) Yes

(Ron Bonica) No Objection

(Stewart Bryant) No Objection

(Gonzalo Camarillo) No Objection

(Benoît Claise) No Objection

(Ralph Droms) No Objection

(Wesley Eddy) No Objection

(Adrian Farrel) No Objection

(Brian Haberman) No Objection

(Pete Resnick) No Objection

Comment (2012-10-25 for -10)
No email
send info
Section 3:

     Conforming CAs SHOULD use the
     UTF8String encoding for explicitText, but MAY use VisibleString or
     BMPString.

This is (as was 5280) worded oddly. I can take this to either mean, "UTF8String is the requirement. However, there are circumstances under which you might violate this requirement, in which case VisibleString or BMPString are the only possible alternatives", or "Any one of UTF8String, VisibleString, or BMPString are acceptable, but UTF8String is preferred." The combination of SHOULD and MAY makes this ambiguous. I think you should fix it.

(Robert Sparks) No Objection

(Martin Stiemerling) No Objection

(Russ Housley) Recuse

Comment (2012-10-19 for -10)
No email
send info
  Please consider the Gen-ART Review comments from Vijay Gurbani on
  16-Oct-2012:

  - S1: The fourth paragraph should be put right underneath the second
  paragraph since the former continues discussion started by the latter.

  - S1: Last paragraph -- it will be good to provide some documentation
  regarding the "observed attacks".  Especially a link to relevant
  papers of archival quality discussing the attacks will be helpful.  If
  the attacks are related to the Diginotar and Comodo break-ins, then
  there is an archival paper [1] at a reasonably high level from IEEE
  that discusses this and provides a starting point for those who want
  to learn more.

  [1] Neal Leavitt, "Internet security under attack: The undermining of
      digital certificates," pp. 17-20, IEEE Computer, December 2011.