Hacker News new | ask | show | jobs
by throw0101a 134 days ago
> The CAB is only concerned with the WebPKI. This means HTTPS.

[citation needed]

The title of their current (2.2.2) standard is "Baseline Requirements for the Issuance and Management of Publicly‐Trusted TLS Server Certificates":

* https://cabforum.org/working-groups/server/baseline-requirem...

§1.3, "PKI Participants", states:

> The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying‐party software applications.

IMHO "other relying-party software applications" can include XMPP servers (also perhaps SMTP, IMAP, FTPS, NNTP, etc).
1 comments
growse 133 days ago
> [citation needed]

My citation is the membership of the CAB.

> IMHO "other relying-party software applications" can include XMPP servers (also perhaps SMTP, IMAP, FTPS, NNTP, etc).

This may be your opinion, but what's the representation of XMPP etc. software maintainers at the CAB?

link
throw0101a 133 days ago
>> [citation needed]

> My citation is the membership of the CAB.

It is a single member of the CAB that is insisting on changing the MAY to a MUST NOT for clientAuth. Why does that single member, Google-Chrome, get to dictate this?

Has Mozilla insisted on changing the meaning of §1.3 to basically remove "other relying‐party software applications"? Apple-Safari? Or any other of the "Certificate Consumers":

* https://cabforum.org/working-groups/server/#certificate-cons...

The membership of CAB collectively agree to the requirements/restrictions they places on themselves, and those requirements (a) state both browser and non-browser use cases, and (b) explicitly allow clientAuth usage as a MAY; see §7.1.2.10.6, §7.1.2.7.10:

* https://cabforum.org/working-groups/server/baseline-requirem...

link