Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
draft-ietf-pkix-rfc5280-clarifications-11
Yes
(Sean Turner)
No Objection
(Adrian Farrel)
(Benoît Claise)
(Brian Haberman)
(Gonzalo Camarillo)
(Martin Stiemerling)
(Ralph Droms)
(Robert Sparks)
(Ron Bonica)
(Stewart Bryant)
(Wesley Eddy)
Recuse
Note: This ballot was opened for revision 10 and is now closed.
Barry Leiba Former IESG member
Yes
Yes
(2012-10-19 for -10)
Unknown
I'm glad to see these clarifications, and I'm happy to ballot "yes". A few notes, and one question I'd appreciate an answer to, if you don't mind: Notes: I would have appreciated the use of proper change bars on the paragraphs. When one sentence in a paragraph is changed, it's hard to pick out what changed -- I wind up having to read the old and new paragraphs back and forth, one sentence or one phrase at a time. Harder than it needs to be, and especially bad when there's gratuitous moving of words from one line to another (as in Section 4). That made this difficult to review. -- Section 9 -- The RFC Editor will likely change "versions 00 through 04" to "earlier versions"; they don't like to refer to specific versions of drafts like that. If you really don't want that change, you might have to fight them on it. Question: -- Section 3 -- This changes "MAY use IA5String" to "MUST NOT" use IA5String. This makes some formerly conforming CAs non-conforming... what is the effect of this in actual practice? Are there known CAs that are using IA5String?
Sean Turner Former IESG member
Yes
Yes
(for -10)
Unknown
Stephen Farrell Former IESG member
Yes
Yes
(2012-10-17 for -10)
Unknown
Glad to see we've finally got this done. Thanks to all involved. All of the updates seem correct and appropriate to me. While there might be other things about 5280 that one could consider wanting to update, at this point there would likely be sufficient difficulty in achieving rough consensus on any such addition that its simply not worth the effort.
Adrian Farrel Former IESG member
No Objection
No Objection
(for -10)
Unknown
Benoît Claise Former IESG member
No Objection
No Objection
(for -10)
Unknown
Brian Haberman Former IESG member
No Objection
No Objection
(for -10)
Unknown
Gonzalo Camarillo Former IESG member
No Objection
No Objection
(for -10)
Unknown
Martin Stiemerling Former IESG member
No Objection
No Objection
(for -10)
Unknown
Pete Resnick Former IESG member
No Objection
No Objection
(2012-10-25 for -10)
Unknown
Section 3: Conforming CAs SHOULD use the UTF8String encoding for explicitText, but MAY use VisibleString or BMPString. This is (as was 5280) worded oddly. I can take this to either mean, "UTF8String is the requirement. However, there are circumstances under which you might violate this requirement, in which case VisibleString or BMPString are the only possible alternatives", or "Any one of UTF8String, VisibleString, or BMPString are acceptable, but UTF8String is preferred." The combination of SHOULD and MAY makes this ambiguous. I think you should fix it.
Ralph Droms Former IESG member
No Objection
No Objection
(for -10)
Unknown
Robert Sparks Former IESG member
No Objection
No Objection
(for -10)
Unknown
Ron Bonica Former IESG member
No Objection
No Objection
(for -10)
Unknown
Stewart Bryant Former IESG member
No Objection
No Objection
(for -10)
Unknown
Wesley Eddy Former IESG member
No Objection
No Objection
(for -10)
Unknown
Russ Housley Former IESG member
Recuse
Recuse
(2012-10-19 for -10)
Unknown
Please consider the Gen-ART Review comments from Vijay Gurbani on 16-Oct-2012: - S1: The fourth paragraph should be put right underneath the second paragraph since the former continues discussion started by the latter. - S1: Last paragraph -- it will be good to provide some documentation regarding the "observed attacks". Especially a link to relevant papers of archival quality discussing the attacks will be helpful. If the attacks are related to the Diginotar and Comodo break-ins, then there is an archival paper [1] at a reasonably high level from IEEE that discusses this and provides a starting point for those who want to learn more. [1] Neal Leavitt, "Internet security under attack: The undermining of digital certificates," pp. 17-20, IEEE Computer, December 2011.