Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 6818

Note: This ballot was opened for revision 10 and is now closed.

(Barry Leiba; former steering group member) Yes

Yes (2012-10-19 for -10)
No email
send info
I'm glad to see these clarifications, and I'm happy to ballot "yes".  A few notes, and one question I'd appreciate an answer to, if you don't mind:

Notes:

I would have appreciated the use of proper change bars on the paragraphs.  When one sentence in a paragraph is changed, it's hard to pick out what changed -- I wind up having to read the old and new paragraphs back and forth, one sentence or one phrase at a time.  Harder than it needs to be, and especially bad when there's gratuitous moving of words from one line to another (as in Section 4).  That made this difficult to review.

-- Section 9 --
The RFC Editor will likely change "versions 00 through 04" to "earlier versions"; they don't like to refer to specific versions of drafts like that.  If you really don't want that change, you might have to fight them on it.

Question:

-- Section 3 --
This changes "MAY use IA5String" to "MUST NOT" use IA5String.  This makes some formerly conforming CAs non-conforming... what is the effect of this in actual practice?  Are there known CAs that are using IA5String?

(Sean Turner; former steering group member) Yes

Yes ( for -10)
No email
send info

(Stephen Farrell; former steering group member) Yes

Yes (2012-10-17 for -10)
No email
send info
Glad to see we've finally got this done. Thanks to all involved.
All of the updates seem correct and appropriate to me. 

While there might be other things  about 5280 that one could 
consider wanting to update, at this point there would likely be 
sufficient difficulty in achieving rough consensus on any such 
addition that its simply not worth the effort.

(Adrian Farrel; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Benoît Claise; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Brian Haberman; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Gonzalo Camarillo; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Martin Stiemerling; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Pete Resnick; former steering group member) No Objection

No Objection (2012-10-25 for -10)
No email
send info
Section 3:

     Conforming CAs SHOULD use the
     UTF8String encoding for explicitText, but MAY use VisibleString or
     BMPString.

This is (as was 5280) worded oddly. I can take this to either mean, "UTF8String is the requirement. However, there are circumstances under which you might violate this requirement, in which case VisibleString or BMPString are the only possible alternatives", or "Any one of UTF8String, VisibleString, or BMPString are acceptable, but UTF8String is preferred." The combination of SHOULD and MAY makes this ambiguous. I think you should fix it.

(Ralph Droms; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Robert Sparks; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Ron Bonica; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Stewart Bryant; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Wesley Eddy; former steering group member) No Objection

No Objection ( for -10)
No email
send info

(Russ Housley; former steering group member) Recuse

Recuse (2012-10-19 for -10)
No email
send info
  Please consider the Gen-ART Review comments from Vijay Gurbani on
  16-Oct-2012:

  - S1: The fourth paragraph should be put right underneath the second
  paragraph since the former continues discussion started by the latter.

  - S1: Last paragraph -- it will be good to provide some documentation
  regarding the "observed attacks".  Especially a link to relevant
  papers of archival quality discussing the attacks will be helpful.  If
  the attacks are related to the Diginotar and Comodo break-ins, then
  there is an archival paper [1] at a reasonably high level from IEEE
  that discusses this and provides a starting point for those who want
  to learn more.

  [1] Neal Leavitt, "Internet security under attack: The undermining of
      digital certificates," pp. 17-20, IEEE Computer, December 2011.