-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Baseline Requirements: Clarify the requirements about subCAs with a CABF OID in the CP #179
Comments
The way I read it the final paragraph in 7.1.6.1 with its references to 7.1.4.2.2 already makes it clear that that section is about the name requirements in subscriber certs associated with the different policy OIDs and not the subject name of the CA certificates. In addition when cert policies are asserted in a CA certificate it is about what policies that CA can assert in the certificates it issues which is why it can contain one or more of the CABF policy OIDs, but you would not put more than one in the subscriber certificate. |
@techliaison I don't think the existing language can be read the way you describe, although I agree, that's the intent (and why I wanted to file this issue) The references to Section 7.1.4.2.2 are specific to certain fields, and so you can't read it as saying With respect to Certificate Policies in CA certificates, there is relevance here to the BRs, because if the CA is asserting that it issues certificates that conform to the BRs, it's also by very definition asserting that it also complies with the BRs, since a subscriber certificate cannot conform to the BRs if its parent does not also. |
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
As @sleevi mentioned above, the current requirement prevents a Subordinate CA certificate from explicitly listing both the DV OID and the OV OID, which it's required to to do if it wishes to issue both DV and OV certificates. To go a step further, this requirement prohibits the inclusion of the DV Policy OID into CA certificates, so any/all CAs that assert the DV Policy OID are in technical violation of this requirement. There are quite a few: |
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
There is one more section that plays into this. Section 7.1.4.3 requires the organizationName in the cert. Since you can't include the DV OID in the cert and an orgnaizationName in cert, if this isn't applied only to end entity certs you can't create any ICAs limited to DV. The only choice you have is anyPolicy. |
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
I'll add this to the Validation Subcommittee agenda for this week. We should be able to resolve this relatively easily. |
No need. It's already part of the cleanups and clarifications, as I flagged this on the validation list back in May and we had some discussion about it. |
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
* Ballot SC28v6: Logging and Log Retention (#222) Add SC28 * SC35: Cleanups and Clarifications (#208) (#223) * Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> * Update version numbers and cover pages. * Update effective date to 2020-10-19. * Update version for the cover page Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
In Section 7.1.6.1 of the Baseline Requirements, it reads as follows: https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1803-L1807
and
https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1812
and
https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1818
In effect, if a certificate asserts a DV OID, then it MUST NOT contain an
organizationName
. Similarly, if it asserts an OV OID, then it MUST contain anorganizationName
.As stated in Section 7.1.6.1, these requirements apply to Root CAs, Subordinate CAs, and End-Entity certificates. However, this requirement prevents a Subordinate CA certificate from explicitly listing both the DV OID and the OV OID, which it's required to to do if it wishes to issue both DV and OV certificates.
Normally, this would be handled by having the subordinate CA use the
anyPolicy
OID. However, this is prohibited by Section 7.1.6.3 if the Subordinate CA is cross-certified or independently operated, as it reads:https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1824-L1827
To resolve this, one approach would be to move the initial sentence of 7.1.6.1 into 7.1.6, and then clarify that the remainder of the OIDs' description are statement about the End Entity certificates and that CAs bearing the OIDs are subject to the overall BRs, but not necessarily with respect to the Subject profiles (which are dealt with in Section 7.1.4)
The text was updated successfully, but these errors were encountered: