Forums » #65 Grid Certificate Profile »
Further comments on Grid Certificate Profile
Added by John Kewley over 9 years ago
[continuation of previous comments]
- 3.1 General Provisions states "... Note that modern hashes, such as SHA-256, are supported by the majority of OpenSSL versions in use, so SHA-2 is currently RECOMMENDED if the software in the entire community supports it. At least a SHA-1 hash or stronger MUST be used." whereas 2.2 Serial Number [see my notes in previous Comment about the sectioning] states "... The current most secure hash function that is supported by the entire target audience of the CA SHOULD be used. In particular SHA-2 or better SHOULD be used and at least as strong as SHA-1 MUST be used". IMO they should be consistent (especially the bit about being supported by the entire target audience) if not identical.
- 3.2.2 is described as "recommendations" and then makes statements like "SHOULD NOT" (fair enough) and "MUST NOT" (which is a prohibition not a recommendation)
- footnote 23 is attached to a "SHOULD NOT" yet it states "The quote characters must not be used". Although the "must not" is not in caps it seems strange to have a reason given for a "must not" when associated with a "SHOULD NOT" - should it be attached to the "MUST NOT" on the previous line? Or is some other interpretation intended?
- footnote 28, there are also reasons other than multiple projects for an individual to have more than one certificate: multiple roles (RA Operator maybe, in fact maybe an RA Operator for multiple RAs) and testing (key sizes, signature algorithms) are ones that spring to mine - maybe this could be generalised a bit
- footnote 30 as this is an update to the document and globus 4.2 is some years old, maybe later versions of GT could be considered
- 3.3 nsCertType vs extendedKeyUsage is contorted. extendedKeyUsage is "required" (see my my other set of comments) which implies compulsion / MUST, yet it needn't be present if nsCertType is present, but the latter is deprecated. 3.3.4 then states that nsCertType "MUST NOT" be used - this is all confusing (I get the gist, but feel is described clumsily and maybe it'd be better to state what should be the case for all new certificates and then give some allowances for existing ones, asserting whether they can be renewed in that state or not.
- 3.3 "includes also the extensions" -> "also includes the extensions"
- Footnote 36: "argumentation" is a word I have never seen in normal [UK] english usage (although my german-speaking colleagues in CH used to use it a lot). Can I suggest "justification" or "discussion" or "arguments"
- Footnote 38 talks about "recent mail clients" - is this still untrue for the examples given?
- Footnote 38 "other products" - "products" sounds strange - how about "tools" or "clients"?
- Footnote 38 "reder" -> "render"
- 3.3 the table spreads over 2 pages which makes it hard to read. The "Optional" section starts with a "," and has a double ",," in the middle
- 3.3.4 "This extension is deprecated and it MUST NOT be used in new certificates, and the appropriate equivalent values be included in the
extendedKeyUsage extension"
->
"This extension is deprecated. It MUST NOT be used in new certificates: the appropriate equivalent values MUST/SHOULD be included in the
extendedKeyUsage extension" [probably a MUST, but I'll leave that to others to decide] - If nsCertType is present, does it matter whether it is marked as "critical" or not?
- 3.3.5 "If any of these is included" -> "If any of these are included"
- 3.3.6 should there be something stronger than "is not required" like "SHOULD NOT be used"?
- 3.3.7 "is known not to be able to handle" -> "is known to be unable to handle" or maybe even avoid "hearsay" and just say "cannot handle"
- Footnote 46 - what is "Chapter 5"? This document has a section 5, but I don't think it is relevant - if it is maybe more info is needed to point at the information hinted at.
JK