Baseline Requirements: Clarify the requirements about subCAs with a CABF OID in the CP #179
Labels
Comments
|
The way I read it the final paragraph in 7.1.6.1 with its references to 7.1.4.2.2 already makes it clear that that section is about the name requirements in subscriber certs associated with the different policy OIDs and not the subject name of the CA certificates. In addition when cert policies are asserted in a CA certificate it is about what policies that CA can assert in the certificates it issues which is why it can contain one or more of the CABF policy OIDs, but you would not put more than one in the subscriber certificate. |
|
@techliaison I don't think the existing language can be read the way you describe, although I agree, that's the intent (and why I wanted to file this issue) The references to Section 7.1.4.2.2 are specific to certain fields, and so you can't read it as saying With respect to Certificate Policies in CA certificates, there is relevance here to the BRs, because if the CA is asserting that it issues certificates that conform to the BRs, it's also by very definition asserting that it also complies with the BRs, since a subscriber certificate cannot conform to the BRs if its parent does not also. |
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
May 14, 2020
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
|
As @sleevi mentioned above, the current requirement prevents a Subordinate CA certificate from explicitly listing both the DV OID and the OV OID, which it's required to to do if it wishes to issue both DV and OV certificates. To go a step further, this requirement prohibits the inclusion of the DV Policy OID into CA certificates, so any/all CAs that assert the DV Policy OID are in technical violation of this requirement. There are quite a few: |
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Jun 18, 2020
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
sleevi
added
the
baseline-requirements
|
There is one more section that plays into this. Section 7.1.4.3 requires the organizationName in the cert. Since you can't include the DV OID in the cert and an orgnaizationName in cert, if this isn't applied only to end entity certs you can't create any ICAs limited to DV. The only choice you have is anyPolicy. |
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Jul 27, 2020
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
|
I'll add this to the Validation Subcommittee agenda for this week. We should be able to resolve this relatively easily. |
|
No need. It's already part of the cleanups and clarifications, as I flagged this on the validation list back in May and we had some discussion about it. |
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Jul 27, 2020
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
This was referenced Aug 6, 2020
sleevi
added a commit
to sleevi/cabforum-docs
that referenced
this issue
Aug 25, 2020
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
dzacharo
pushed a commit
that referenced
this issue
Sep 14, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Merged
dzacharo
added a commit
that referenced
this issue
Sep 14, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
dzacharo
added a commit
that referenced
this issue
Oct 16, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
wthayer
pushed a commit
that referenced
this issue
Oct 19, 2020
* Ballot SC28v6: Logging and Log Retention (#222) Add SC28 * SC35: Cleanups and Clarifications (#208) (#223) * Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> * Update version numbers and cover pages. * Update effective date to 2020-10-19. * Update version for the cover page Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Section 7.1.6.1 of the Baseline Requirements, it reads as follows: https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1803-L1807
and
https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1812
and
https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1818
In effect, if a certificate asserts a DV OID, then it MUST NOT contain an
organizationName. Similarly, if it asserts an OV OID, then it MUST contain anorganizationName.As stated in Section 7.1.6.1, these requirements apply to Root CAs, Subordinate CAs, and End-Entity certificates. However, this requirement prevents a Subordinate CA certificate from explicitly listing both the DV OID and the OV OID, which it's required to to do if it wishes to issue both DV and OV certificates.
Normally, this would be handled by having the subordinate CA use the
anyPolicyOID. However, this is prohibited by Section 7.1.6.3 if the Subordinate CA is cross-certified or independently operated, as it reads:https://github.com/cabforum/documents/blob/6e0b8e61590164eb2d686ddcf266b189f46fc636/docs/BR.md#L1824-L1827
To resolve this, one approach would be to move the initial sentence of 7.1.6.1 into 7.1.6, and then clarify that the remainder of the OIDs' description are statement about the End Entity certificates and that CAs bearing the OIDs are subject to the overall BRs, but not necessarily with respect to the Subject profiles (which are dealt with in Section 7.1.4)
The text was updated successfully, but these errors were encountered: