Opened 6 years ago

Closed 6 years ago

#144 closed defect (fixed)

Need to specify how the CA requirements in 12.3 are to be met

Reported by: kseo@… Owned by: eranm@…
Priority: major Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

Section 12.3 specifies behaviors of the CA and browsers. I think that this text would be more logically placed in sections/documents devoted to those entities instead of in a Security Considerations section. Also, there needs to be a specification for how to determine if "the entirety of the domain space below the unredacted part of the domain name is not owned or controlled by a single entity" and perhaps a separate spec for how to determine whether a pre-certificate is "overly redacted." If the WG decides to adopt separate specifications for CA/Subjects, Monitors/Auditors?, and Browsers, then I think that these algorithms should be placed in those documents.

Change History (4)

comment:1 Changed 6 years ago by eranm@…

  • Owner changed from draft-ietf-trans-rfc6962-bis@… to eranm@…

Good point about specifying behaviour of CAs - the definition of a 'single entity' is unclear and anyway, the purpose of this section is to point out the dangers of over-redaction.
It is hard to define what over-redaction is here, so my proposal (after talking to Rob about it) is to point out to the PSL as an example of domains for which redacted precertificates would be 'overly-redacted' and make this section more informative, less prescriptive.

comment:4 Changed 6 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.