From 9ae89901548c42586971b0ff4ca3aeb27d8d2dac Mon Sep 17 00:00:00 2001
From: ENEN-DTR <67336551+ENEN-DTR@users.noreply.github.com>
Date: Fri, 12 Jul 2024 13:21:40 +0200
Subject: [PATCH 1/4] Update BR.md
Changes in the sections 1.6.1, 7.1.2.7.7, 7.1.2.11.2, 7.1.2.3.2; 7.1.2.7.9; 7.1.2.8.8 and 7.1.2.10.5.
---
docs/BR.md | 37 ++++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/docs/BR.md b/docs/BR.md
index 38863495..1fefc862 100644
--- a/docs/BR.md
+++ b/docs/BR.md
@@ -466,6 +466,8 @@ The script outputs:
**Root Certificate**: The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.
+**Scheme**: A URI Scheme that is defined by RFC 3986, section 3.1.
+
**Short-lived Subscriber Certificate**: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days (864,000 seconds). For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days (604,800 seconds).
**Sovereign State**: A state or country that administers its own government, and is not dependent upon, or subject to, another power.
@@ -2089,10 +2091,10 @@ Table: Policy Restricted
Table: Permitted `policyQualifiers`
-| __Qualifier ID__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
-| Any other qualifier | MUST NOT | - | - |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
##### 7.1.2.3.3 Technically Constrained Non-TLS Subordinate CA Extended Key Usage
@@ -2425,11 +2427,11 @@ The `AuthorityInfoAccessSyntax` MUST contain one or more `AccessDescription`s. E
The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with the same `accessMethod`, if permitted for that `accessMethod`. When multiple `AccessDescription`s are present with the same `accessMethod`, each `accessLocation` MUST be unique, and each `AccessDescription` MUST be ordered in priority for that `accessMethod`, with the most-preferred `accessLocation` being the first `AccessDescription`. No ordering requirements are given for `AccessDescription`s that contain different `accessMethod`s, provided that previous requirement is satisfied.
-| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ |
+| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Access Description__ |
| -- | -- | ---- | - | - | --- |
-| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. |
-| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | A HTTP URL of the Issuing CA's certificate. |
-| Any other value | - | - | MUST NOT | - | No other `accessMethod`s may be used. |
+| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP.
Other schemes SHALL NOT be present. |
+| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP.
Other schemes SHALL NOT be present. |
+| Any other value | - | - | MUST NOT | - | Other `accessMethod`s SHALL NOT be present. |
##### 7.1.2.7.8 Subscriber Certificate Basic Constraints
@@ -2456,10 +2458,10 @@ This Profile RECOMMENDS that the first `PolicyInformation` value within the Cert
Table: Permitted `policyQualifiers`
-| __Qualifier ID__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
-| Any other qualifier | MUST NOT | - | - |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
[^first_policy_note]: Although RFC 5280 allows `PolicyInformation`s to appear in any order, several client implementations have implemented logic that considers the `policyIdentifier` that matches a given filter. As such, ensuring the Reserved Certificate Policy Identifier is the first `PolicyInformation` reduces the risk of interoperability challenges.
@@ -2642,10 +2644,10 @@ If present, the Certificate Policies extension MUST contain at least one `Policy
Table: Permitted `policyQualifiers`
-| __Qualifier ID__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
-| Any other qualifier | MUST NOT | - | - |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
**Note**: See [Section 7.1.2.8.2](#71282-ocsp-responder-extensions) for applicable effective dates for when this extension may be included.
@@ -2834,10 +2836,11 @@ If the `policyQualifiers` is permitted and present within a `PolicyInformation`
Table: Permitted `policyQualifiers`
-| __Qualifier ID__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
-| Any other qualifier | MUST NOT | - | - |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present.
+|
##### 7.1.2.10.6 CA Certificate Extended Key Usage
@@ -2953,7 +2956,7 @@ Table: `DistributionPoint` profile
| `reasons` | MUST NOT | |
| `cRLIssuer` | MUST NOT | |
-A `fullName` MUST contain at least one `GeneralName`; it MAY contain more than one. All `GeneralName`s MUST be of type `uniformResourceIdentifier`, and the scheme of each MUST be "http". The first `GeneralName` must contain the HTTP URL of the Issuing CA's CRL service for this certificate.
+A `fullName` MUST contain at least one `GeneralName`; it MAY contain more than one. All `GeneralName`s MUST be of type `uniformResourceIdentifier`, and have the uniformResourceIdentifier SCHEME HTTP. Every `GeneralName` must contain the HTTP URL of the Issuing CA's CRL service for this certificate.
##### 7.1.2.11.3 Signed Certificate Timestamp List
From b1d21310ca7fe4ff25df9d4d2a5e6a9e245b0c41 Mon Sep 17 00:00:00 2001
From: ENEN-DTR <67336551+ENEN-DTR@users.noreply.github.com>
Date: Thu, 25 Jul 2024 11:43:55 +0200
Subject: [PATCH 2/4] Update BR.md
Removed
.
---
docs/BR.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/BR.md b/docs/BR.md
index 1fefc862..17893ffb 100644
--- a/docs/BR.md
+++ b/docs/BR.md
@@ -2429,8 +2429,8 @@ The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with t
| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Access Description__ |
| -- | -- | ---- | - | - | --- |
-| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP.
Other schemes SHALL NOT be present. |
-| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP.
Other schemes SHALL NOT be present. |
+| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP. Other schemes SHALL NOT be present. |
+| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP. Other schemes SHALL NOT be present. |
| Any other value | - | - | MUST NOT | - | Other `accessMethod`s SHALL NOT be present. |
##### 7.1.2.7.8 Subscriber Certificate Basic Constraints
From 34d1818dfc89a1b68ddfb9654b30981cc9115c0a Mon Sep 17 00:00:00 2001
From: ENEN-DTR <67336551+ENEN-DTR@users.noreply.github.com>
Date: Thu, 22 Aug 2024 12:34:41 +0200
Subject: [PATCH 3/4] Update BR.md
Changes in accordance to review
---
docs/BR.md | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/docs/BR.md b/docs/BR.md
index 17893ffb..0c891577 100644
--- a/docs/BR.md
+++ b/docs/BR.md
@@ -2091,9 +2091,9 @@ Table: Policy Restricted
Table: Permitted `policyQualifiers`
-| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
@@ -2427,10 +2427,10 @@ The `AuthorityInfoAccessSyntax` MUST contain one or more `AccessDescription`s. E
The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with the same `accessMethod`, if permitted for that `accessMethod`. When multiple `AccessDescription`s are present with the same `accessMethod`, each `accessLocation` MUST be unique, and each `AccessDescription` MUST be ordered in priority for that `accessMethod`, with the most-preferred `accessLocation` being the first `AccessDescription`. No ordering requirements are given for `AccessDescription`s that contain different `accessMethod`s, provided that previous requirement is satisfied.
-| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Access Description__ |
+| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ |
| -- | -- | ---- | - | - | --- |
-| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP. Other schemes SHALL NOT be present. |
-| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier SCHEME HTTP. Other schemes SHALL NOT be present. |
+| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier Scheme HTTP. Other Schemes SHALL NOT be present. |
+| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier Scheme HTTP. Other Schemes SHALL NOT be present. |
| Any other value | - | - | MUST NOT | - | Other `accessMethod`s SHALL NOT be present. |
##### 7.1.2.7.8 Subscriber Certificate Basic Constraints
@@ -2458,9 +2458,9 @@ This Profile RECOMMENDS that the first `PolicyInformation` value within the Cert
Table: Permitted `policyQualifiers`
-| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
[^first_policy_note]: Although RFC 5280 allows `PolicyInformation`s to appear in any order, several client implementations have implemented logic that considers the `policyIdentifier` that matches a given filter. As such, ensuring the Reserved Certificate Policy Identifier is the first `PolicyInformation` reduces the risk of interoperability challenges.
@@ -2644,9 +2644,9 @@ If present, the Certificate Policies extension MUST contain at least one `Policy
Table: Permitted `policyQualifiers`
-| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
@@ -2836,9 +2836,9 @@ If the `policyQualifiers` is permitted and present within a `PolicyInformation`
Table: Permitted `policyQualifiers`
-| __policyQualifier__ | __Presence__ | __Field Type__ | __Contents__ |
+| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, every policyQualifier SHALL have the uniformResourceIdentifier SCHEME HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present.
|
@@ -2956,7 +2956,7 @@ Table: `DistributionPoint` profile
| `reasons` | MUST NOT | |
| `cRLIssuer` | MUST NOT | |
-A `fullName` MUST contain at least one `GeneralName`; it MAY contain more than one. All `GeneralName`s MUST be of type `uniformResourceIdentifier`, and have the uniformResourceIdentifier SCHEME HTTP. Every `GeneralName` must contain the HTTP URL of the Issuing CA's CRL service for this certificate.
+A `fullName` MUST contain at least one `GeneralName`; it MAY contain more than one. `GeneralName`s MUST be of type `uniformResourceIdentifier`, and the Scheme of each MUST be http. Each `GeneralName` MUST contain the HTTP URL of the Issuing CA's CRL service for this certificate.
##### 7.1.2.11.3 Signed Certificate Timestamp List
From 5908ff0f78e30bb3b42008bac69e16ef1ee5a6f0 Mon Sep 17 00:00:00 2001
From: ENEN-DTR <67336551+ENEN-DTR@users.noreply.github.com>
Date: Thu, 5 Sep 2024 15:18:32 +0200
Subject: [PATCH 4/4] Update BR.md
Introduction of the term `URI Scheme` to avoid misunderstandings
---
docs/BR.md | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/docs/BR.md b/docs/BR.md
index 0c891577..19f92e81 100644
--- a/docs/BR.md
+++ b/docs/BR.md
@@ -466,7 +466,7 @@ The script outputs:
**Root Certificate**: The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.
-**Scheme**: A URI Scheme that is defined by RFC 3986, section 3.1.
+**URI Scheme**: A Uniform Resource Identifier (URI) Scheme that is defined by RFC 3986, section 3.1.
**Short-lived Subscriber Certificate**: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days (864,000 seconds). For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days (604,800 seconds).
@@ -867,7 +867,7 @@ The file containing the Request Token or Random Value:
1. MUST be located on the Authorization Domain Name, and
2. MUST be located under the "/.well-known/pki-validation" directory, and
-3. MUST be retrieved via either the "http" or "https" scheme, and
+3. MUST be retrieved via either the `URI Scheme` HTTP or HTTPS, and
4. MUST be accessed over an Authorized Port.
If the CA follows redirects, the following apply:
@@ -875,7 +875,7 @@ If the CA follows redirects, the following apply:
1. Redirects MUST be initiated at the HTTP protocol layer.
a. For validations performed on or after July 1, 2021, redirects MUST be the result of a 301, 302, or 307 HTTP status code response, as defined in [RFC 7231, Section 6.4](https://tools.ietf.org/html/rfc7231#section-6.4), or a 308 HTTP status code response, as defined in [RFC 7538, Section 3](https://tools.ietf.org/html/rfc7538#section-3). Redirects MUST be to the final value of the Location HTTP response header, as defined in [RFC 7231, Section 7.1.2](https://tools.ietf.org/html/rfc7231#section-7.1.2).
b. For validations performed prior to July 1, 2021, redirects MUST be the result of an HTTP status code result within the 3xx Redirection class of status codes, as defined in [RFC 7231, Section 6.4](https://tools.ietf.org/html/rfc7231#section-6.4). CAs SHOULD limit the accepted status codes and resource URLs to those defined within 1.a.
-2. Redirects MUST be to resource URLs with either the "http" or "https" scheme.
+2. Redirects MUST be to resource URLs with either the `URI Scheme` HTTP or HTTPS.
3. Redirects MUST be to resource URLs accessed via Authorized Ports.
If a Random Value is used, then:
@@ -899,7 +899,7 @@ If the CA follows redirects, the following apply:
1. Redirects MUST be initiated at the HTTP protocol layer.
a. For validations performed on or after July 1, 2021, redirects MUST be the result of a 301, 302, or 307 HTTP status code response, as defined in [RFC 7231, Section 6.4](https://tools.ietf.org/html/rfc7231#section-6.4), or a 308 HTTP status code response, as defined in [RFC 7538, Section 3](https://tools.ietf.org/html/rfc7538#section-3). Redirects MUST be to the final value of the Location HTTP response header, as defined in [RFC 7231, Section 7.1.2](https://tools.ietf.org/html/rfc7231#section-7.1.2).
b. For validations performed prior to July 1, 2021, redirects MUST be the result of an HTTP status code result within the 3xx Redirection class of status codes, as defined in [RFC 7231, Section 6.4](https://tools.ietf.org/html/rfc7231#section-6.4). CAs SHOULD limit the accepted status codes and resource URLs to those defined within 1.a.
-2. Redirects MUST be to resource URLs with either the "http" or "https" scheme.
+2. Redirects MUST be to resource URLs with either the `URI Scheme` HTTP or HTTPS.
3. Redirects MUST be to resource URLs accessed via Authorized Ports.
**Note**:
@@ -1017,7 +1017,7 @@ CAs are permitted to treat a record lookup failure as permission to issue if:
* the lookup has been retried at least once; and
* the domain's zone does not have a DNSSEC validation chain to the ICANN root.
-CAs MUST document potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CAB Forum on the circumstances, and SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s), if present. CAs are not expected to support URL schemes in the iodef record other than mailto: or https:.
+CAs MUST document potential issuances that were prevented by a CAA record in sufficient detail to provide feedback to the CAB Forum on the circumstances, and SHOULD dispatch reports of such issuance requests to the contact(s) stipulated in the CAA iodef record(s), if present. CAs are not expected to support `URI Scheme`s in the iodef record other than mailto: or https:.
### 3.2.3 Authentication of individual identity
@@ -2093,7 +2093,7 @@ Table: Permitted `policyQualifiers`
| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `URI Scheme` HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
@@ -2429,8 +2429,8 @@ The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with t
| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ |
| -- | -- | ---- | - | - | --- |
-| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier Scheme HTTP. Other Schemes SHALL NOT be present. |
-| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | When provided, every accessMethod SHALL have the uniformResourceIdentifier Scheme HTTP. Other Schemes SHALL NOT be present. |
+| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | When provided, every accessMethod SHALL have the `URI Scheme` HTTP. Other `URI Scheme`s SHALL NOT be present. |
+| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | SHOULD | \* | When provided, every accessMethod SHALL have the `URI Scheme` HTTP. Other `URI Scheme`s SHALL NOT be present. |
| Any other value | - | - | MUST NOT | - | Other `accessMethod`s SHALL NOT be present. |
##### 7.1.2.7.8 Subscriber Certificate Basic Constraints
@@ -2460,7 +2460,7 @@ Table: Permitted `policyQualifiers`
| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `URI Scheme` HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
[^first_policy_note]: Although RFC 5280 allows `PolicyInformation`s to appear in any order, several client implementations have implemented logic that considers the `policyIdentifier` that matches a given filter. As such, ensuring the Reserved Certificate Policy Identifier is the first `PolicyInformation` reduces the risk of interoperability challenges.
@@ -2646,7 +2646,7 @@ Table: Permitted `policyQualifiers`
| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `URI Scheme` HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present. |
@@ -2838,7 +2838,7 @@ Table: Permitted `policyQualifiers`
| __policyQualifierId__ | __Presence__ | __Field Type__ | __Contents__ |
| --- | - | - | ----- |
-| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `uniformResourceIdentifier` Scheme HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
+| `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | When provided, the `id-qt-cps` `policyQualifierId` SHALL have the `URI Scheme` HTTP or HTTPS for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. |
| Any other policyQualifier | MUST NOT | - | Other policyQualifiers SHALL NOT be present.
|
@@ -2956,7 +2956,7 @@ Table: `DistributionPoint` profile
| `reasons` | MUST NOT | |
| `cRLIssuer` | MUST NOT | |
-A `fullName` MUST contain at least one `GeneralName`; it MAY contain more than one. `GeneralName`s MUST be of type `uniformResourceIdentifier`, and the Scheme of each MUST be http. Each `GeneralName` MUST contain the HTTP URL of the Issuing CA's CRL service for this certificate.
+A `fullName` MUST contain at least one `GeneralName`; it MAY contain more than one. `GeneralName`s MUST be of type `uniformResourceIdentifier`, and the `URI Scheme` of each MUST be http. Each `GeneralName` MUST contain the HTTP URL of the Issuing CA's CRL service for this certificate.
##### 7.1.2.11.3 Signed Certificate Timestamp List