From 43ce233ba8deffdafedc8f2e898b85fdb7d1df38 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Fri, 11 Nov 2022 00:43:48 -0800 Subject: [PATCH 1/2] SC-58: Require distributionPoint in sharded CRLs (#396) * SC-XX: Require distributionPoint in sharded CRLs The language in RFC 5280 regarding the interaction between the distributionPoint field of the Issuing Distribution Point CRL extension and the existence of sharded CRLs has led to significant debate on interpretation, and appears to contradict X.509. To protect against replacement attacks, make it explicitly clear that the Issuing Distribution Point extension and distributionPoint field are required for sharded or partitioned CRLs. * Remind readers that the IDP must be critical * Change effective date to Jan 15 * Change effective date in Section 1.2 table, too --- docs/BR.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/BR.md b/docs/BR.md index 1f88796e..02e4e715 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -174,6 +174,7 @@ The following Certificate Policy identifiers are reserved for use by CAs as an o | 2021-12-01 | 3.2.2.4 | CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN. | | 2022-06-01 | 7.1.3.2.1 | CAs MUST NOT sign OCSP responses using the SHA-1 hash algorithm. | | 2022-09-01 | 7.1.4.2.2 | CAs MUST NOT include the organizationalUnitName field in the Subject | +| 2023-01-15 | 7.2.2 | Sharded or partitioned CRLs MUST have a distributionPoint | ## 1.3 PKI Participants @@ -2312,6 +2313,10 @@ Prior to including a Reserved Certificate Policy Identifier, the CA MUST ensure If a CRL entry is for a Certificate subject to these Requirements, the `CRLReason` MUST NOT be certificateHold (6). If a `reasonCode` CRL entry extension is present, the `CRLReason` MUST indicate the most appropriate reason for revocation of the certificate, as defined by the CA within its CP/CPS. + +2. `issuingDistributionPoint` (OID 2.5.29.28) + + Effective 2023-01-15, if a CRL does not contain entries for all revoked unexpired certificates issued by the CRL issuer, then it MUST contain a critical Issuing Distribution Point extension and MUST populate the `distributionPoint` field of that extension. ## 7.3 OCSP profile From 43dbc43671775f28a59f102d775ebe93db60472d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Wed, 14 Dec 2022 11:53:14 +0100 Subject: [PATCH 2/2] Update BR.md --- docs/BR.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 02e4e715..b2f6fd54 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,9 +1,9 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates -subtitle: Version 1.8.4 +subtitle: Version 1.8.6 author: - CA/Browser Forum -date: 23 April, 2022 +date: 14 December, 2022 copyright: | Copyright 2022 CA/Browser Forum @@ -127,6 +127,8 @@ The following Certificate Policy identifiers are reserved for use by CAs as an o | 1.8.2 | SC53 | Sunset for SHA-1 OCSP Signing | 26-Jan-2022 | 4-Mar-2022 | | 1.8.3 | SC51 | Reduce and Clarify Log and Records Archival Retention Requirements | 01-Mar-2022 | 15-Apr-2022 | | 1.8.4 | SC54 | Onion Cleanup | 24-Mar-2022 | 23-Apr-2022 | +| 1.8.5 | SC56 | 2022 Cleanup | 25-Oct-2022 | 30-Nov-2022 | +| 1.8.6 | SC58 | Require distributionPoint in sharded CRLs | 7-Nov-2022 | 11-Dec-2022 | \* Effective Date and Additionally Relevant Compliance Date(s)