Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make ocsp optional round 3 adjudication #7

Merged
merged 7 commits into from Jun 22, 2023
Merged

Make ocsp optional round 3 adjudication #7

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
eb97408
Update BR.md
ryancdickson Jun 12, 2023
bbf5155
Address formatting nits
ryancdickson Jun 13, 2023
b2df5dc
Address table formatting nits.
ryancdickson Jun 13, 2023
9615372
Remove redundant language re: nextUpdate
ryancdickson Jun 13, 2023
530bc88
Clarify use of "unspecified" CRL Reason Code
ryancdickson Jun 13, 2023
01363c6
Clarify IDP
ryancdickson Jun 14, 2023
15eab80
(Further) Clarify IDP
ryancdickson Jun 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
71 changes: 37 additions & 34 deletions docs/BR.md
View file
Open in desktop
Expand Up @@ -1295,16 +1295,14 @@ Within twenty-four (24) hours of issuing its first Certificate, the CA MUST gene
- partitioned (i.e., "sharded") CRLs that, when aggregated, represent the equivalent of a full and complete CRL.

CAs issuing Subscriber Certificates:
1. MUST update and publish a new CRL within at least:
1. MUST update and publish a new CRL at least every:
- seven (7) days if all Certificates include an Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or
- four (4) days in all other cases;
2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked; and
3. MUST include a `nextUpdate` field value that is no more than ten (10) days beyond the value of the `thisUpdate` field.

CAs issuing CA Certificates:
1. MUST update and publish a new CRL within at least twelve (12) months;
1. MUST update and publish a new CRL at least every twelve (12) months;
2. MUST update and publish a new CRL within twenty-four (24) hours after recording a Certificate as revoked; and
3. MUST include a `nextUpdate` field value that is no more than twelve (12) months beyond the value of the `thisUpdate` field.

CAs MUST continue issuing CRLs until one of the following is true:
- all Subordinate CA Certificates containing the same Subject Public Key are expired or revoked; OR
Expand Down Expand Up @@ -2398,7 +2396,7 @@ In addition, `subject` Attributes MUST NOT contain only metadata such as '.', '-

**Notes**:
- whether or not the `subjectAltName` extension should be marked Critical depends on the contents of the Certificate's `subject` field, as detailed in [Section 7.1.2.7.12](#712712-subscriber-certificate-subject-alternative-name).
- whether or not the `crlDistributionPoints` extension must be present depends on 1) whether the Certificate includes an Authority Information Access extension with an id-ad-ocsp accessMethod and 2) the Certificate's validity period, as detailed in [Section 7.1.2.11.2](#712112-crl-distribution-points).
- whether or not the CRL Distribution Points extension must be present depends on 1) whether the Certificate includes an Authority Information Access extension with an id-ad-ocsp accessMethod and 2) the Certificate's validity period, as detailed in [Section 7.1.2.11.2](#712112-crl-distribution-points).

##### 7.1.2.7.7 Subscriber Certificate Authority Information Access

Expand Down Expand Up @@ -2768,7 +2766,7 @@ The `AuthorityInfoAccessSyntax` MAY contain multiple `AccessDescription`s with t

| __Access Method__ | __OID__ | __Access Location__ | __Presence__ | __Maximum__ | __Description__ |
| -- | -- | ---- | - | - | --- |
| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. |
| `id-ad-ocsp` | 1.3.6.1.5.5.7.48.1 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's OCSP responder. |
| `id-ad-caIssuers` | 1.3.6.1.5.5.7.48.2 | `uniformResourceIdentifier` | MAY | \* | A HTTP URL of the Issuing CA's certificate. |
| Any other value | - | - | MUST NOT | - | No other `accessMethod`s may be used. |

Expand Down Expand Up @@ -3186,7 +3184,7 @@ If the CA asserts compliance with these Baseline Requirements, all CRLs that it

A full and complete CRL is a CRL whose scope includes all certificates issued by the CA.

A partitioned CRL (sometimes referred to as a "sharded CRL") is a CRL with a constrained scope, such as all certificates issued by the CA during a certain period of time ("temporal sharding"). Aside from the presence of the `IssuingDistributionPoint` extension (OID 2.5.29.28) in partitioned CRLs, both CRL formats are syntactically the same from the perspective of this profile.
A partitioned CRL (sometimes referred to as a "sharded CRL") is a CRL with a constrained scope, such as all certificates issued by the CA during a certain period of time ("temporal sharding"). Aside from the presence of the Issuing Distribution Point extension (OID 2.5.29.28) in partitioned CRLs, both CRL formats are syntactically the same from the perspective of this profile.

Minimally, CAs MUST issue either a "full and complete" CRL or a set of "partitioned" CRLs which cover the complete set of certificates issued by the CA. In other words, if issuing only partitioned CRLs, the combined scope of those CRLs must be equivalent to that of a full and complete CRL.

Expand All @@ -3197,15 +3195,15 @@ Table: CRL Fields
| __Field__ | __Presence__ | __Description__ |
| --- | ------ | ------ |
| `tbsCertList` | | |
|     `version` | MUST | MUST be v2(1), see [Section 7.2.1](#721-version-numbers) |
|     `signature` | MUST | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
|     `issuer` | MUST | MUST be byte-for-byte identical to the `subject` field of the Issuing CA. |
|     `thisUpdate` | MUST | Indicates the issue date of the CRL. |
|     `nextUpdate` | MUST | Indicates the date by which the next CRL will be issued. For CRLs covering Subscriber Certificates, at most 10 days after the `thisUpdate`. For other CRLs, at most 12 months after the `thisUpdate`. |
|     `revokedCertificates` | * | MUST be present if the CA has issued a certificate that has been revoked and the corresponding entry has yet to appear on at least one regularly scheduled CRL beyond the revoked certificate's validity period. The CA SHOULD remove an entry for a corresponding certificate after it has appeared on at least one regularly scheduled CRL beyond the revoked certificate's validity period. See the "revokedCertificates Component" table for additional requirements. |
|     `extensions` | MUST | See the "CRL Extensions" table for additional requirements. |
| `signatureAlgorithm` | MUST | Encoded value MUST be byte-for-byte identical to the `tbsCertList.signature`. |
| `signature` | MUST | - |
|     `version` | MUST | MUST be v2(1), see [Section 7.2.1](#721-version-numbers) |
|     `signature` | MUST | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) |
|     `issuer` | MUST | MUST be byte-for-byte identical to the `subject` field of the Issuing CA. |
|     `thisUpdate` | MUST | Indicates the issue date of the CRL. |
|     `nextUpdate` | MUST | Indicates the date by which the next CRL will be issued. For CRLs covering Subscriber Certificates, at most 10 days after the `thisUpdate`. For other CRLs, at most 12 months after the `thisUpdate`. |
|     `revokedCertificates` | * | MUST be present if the CA has issued a certificate that has been revoked and the corresponding entry has yet to appear on at least one regularly scheduled CRL beyond the revoked certificate's validity period. The CA SHOULD remove an entry for a corresponding certificate after it has appeared on at least one regularly scheduled CRL beyond the revoked certificate's validity period. See the "revokedCertificates Component" table for additional requirements. |
|     `extensions` | MUST | See the "CRL Extensions" table for additional requirements. |
| `signatureAlgorithm` | MUST | Encoded value MUST be byte-for-byte identical to the `tbsCertList.signature`. |
| `signature` | MUST | - |
| Any other value | NOT RECOMMENDED | - |

### 7.2.1 Version number(s)
Expand All @@ -3216,37 +3214,37 @@ Certificate Revocation Lists MUST be of type X.509 v2.

Table: CRL Extensions

| __Extension__ | __Presence__ | __Critical__ | __Description__ |
| ---- | - | - | ----- |
| `authorityKeyIdentifier` | MUST | N | See [Section 7.1.2.11.1](#712111-authority-key-identifier) |
| `CRLNumber` | MUST | N | MUST contain an INTEGER greater than or equal to zero (0) and less than 2¹⁵⁹, and convey a strictly increasing sequence. |
| `IssuingDistributionPoint` | * | Y | See [Section 7.2.2.1 CRL Issuing Distribution Point](#7221-crl-issuing-distribution-point) |
| Any other extension | NOT RECOMMENDED | - | |
| __Extension__ | __Presence__ | __Critical__ | __Description__ |
| ---- | - | - | ----- |
| `authorityKeyIdentifier` | MUST | N | See [Section 7.1.2.11.1](#712111-authority-key-identifier) |
| `CRLNumber` | MUST | N | MUST contain an INTEGER greater than or equal to zero (0) and less than 2¹⁵⁹, and convey a strictly increasing sequence. |
| `IssuingDistributionPoint` | * | Y | See [Section 7.2.2.1 CRL Issuing Distribution Point](#7221-crl-issuing-distribution-point) |
| Any other extension | NOT RECOMMENDED | - | - |

Table: revokedCertificates Component

| __Component__ | __Presence__ | __Description__ |
| ---- | - | ----- |
| `serialNumber` | MUST | MUST be byte-for-byte identical to the serialNumber contained in the revoked certificate. |
| `revocationDate` | MUST | Normally, the date and time revocation occurred. See the footnote following this table for circumstances where backdating is permitted. |
| `crlEntryExtensions` | * | See the "crlEntryExtensions Component" table for additional requirements. |
| __Component__ | __Presence__ | __Description__ |
| ---- | - | ----- |
| `serialNumber` | MUST | MUST be byte-for-byte identical to the serialNumber contained in the revoked certificate. |
| `revocationDate` | MUST | Normally, the date and time revocation occurred. See the footnote following this table for circumstances where backdating is permitted. |
| `crlEntryExtensions` | * | See the "crlEntryExtensions Component" table for additional requirements. |

**Note:** The CA SHOULD update the revocation date in a CRL entry when it is determined that the private key of the certificate was compromised prior to the revocation date that is indicated in the CRL entry for that certificate. Backdating the revocationDate field is an exception to best practice described in RFC 5280 (Section 5.3.2); however, these requirements specify the use of the revocationDate field to support TLS implementations that process the revocationDate field as the date when the Certificate is first considered to be compromised.

Table: crlEntryExtensions Component

| __CRL Entry Extension__ | __Presence__ | __Description__ |
| --- | - | ------ |
| `reasonCode` | * | When present (OID 2.5.29.21), MUST NOT be marked critical and MUST indicate the most appropriate reason for revocation of the Certificate. <br><br> MUST be present unless the CRL entry is for a Certificate not technically capable of causing issuance and either 1) the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023 or 2) the reason for revocation (i.e., reasonCode) is unspecified (0). <br><br>See the "CRLReasons" table for additional requirements. |
| Any other value | NOT RECOMMENDED | |
| __CRL Entry Extension__ | __Presence__ | __Description__ |
| --- | - | ------ |
| `reasonCode` | * | When present (OID 2.5.29.21), MUST NOT be marked critical and MUST indicate the most appropriate reason for revocation of the Certificate. <br><br> MUST be present unless the CRL entry is for a Certificate not technically capable of causing issuance and either 1) the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023 or 2) the reason for revocation (i.e., reasonCode) is unspecified (0). <br><br>See the "CRLReasons" table for additional requirements. |
| Any other value | NOT RECOMMENDED | - |

Table: CRLReasons

| __RFC 5280 reasonCode__ | __RFC 5280 reasonCode value__ | __Description__ |
| --- | - | ------ |
| unspecified | 0 | MUST be omitted if the CRL entry is for a Certificate not technically capable of causing issuance unless the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023.
| unspecified | 0 | Represented by the omission of a reasonCode. MUST be omitted if the CRL entry is for a Certificate not technically capable of causing issuance unless the CRL entry is for a Subscriber Certificate subject to these Requirements revoked prior to July 15, 2023.
| keyCompromise | 1 | Indicates that it is known or suspected that the Subscriber’s Private Key has been compromised. |
| affiliationChanged | 3 | Indicates that the Subject's name or other Subject Identity Information in the Certificate has changed, but there is no cause to suspect that the Certificate's Private Key has been compromised. |
| affiliationChanged | 3 | Indicates that the Subject's name or other Subject Identity Information in the Certificate has changed, but there is no cause to suspect that the Certificate's Private Key has been compromised. |
| superseded | 4 | Indicates that the Certificate is being replaced because: the Subscriber has requested a new Certificate, the CA has reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the Certificate should not be relied upon, or the CA has revoked the Certificate for compliance reasons such as the Certificate does not comply with these Baseline Requirements or the CA's CP or CPS. |
| cessationOfOperation | 5 | Indicates that the website with the Certificate is shut down prior to the expiration of the Certificate, or if the Subscriber no longer owns or controls the Domain Name in the Certificate prior to the expiration of the Certificate.
| certificateHold | 6 | MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a `notBefore` on-or-after 2020-09-30.
Expand All @@ -3259,7 +3257,12 @@ The privilegeWithdrawn reasonCode SHOULD NOT be made available to the Subscriber
When a CA obtains verifiable evidence of Key Compromise for a Certificate whose CRL entry does not contain a reasonCode extension or has a reasonCode extension with a non-keyCompromise reason, the CA SHOULD update the CRL entry to enter keyCompromise as the CRLReason in the reasonCode extension.

#### 7.2.2.1 CRL Issuing Distribution Point
Partitioned CRLs MUST include at least one of the names from the corresponding distributionPoint field of the cRLDistributionPoints extension of every certificate that is within the scope of this CRL. The encoded value MUST be byte-for-byte identical to the encoding used in the distributionPoint field of the certificate.

Partitioned CRLs MUST contain an Issuing Distribution Point extension. The `distributionPoint` field of the Issuing Distribution Point extension MUST be present. Additionally, the `fullName` field of the DistributionPointName value MUST be present, and its value MUST conform to the following requirements:

1. If a Certificate within the scope of the CRL contains a CRL Distribution Points extension, then at least one of the `uniformResourceIdentifiers` in the CRL Distribution Points's `fullName` field MUST be included in the `fullName` field of the CRL's Issuing Distribution Point extension. The encoding of the `uniformResourceIdentifier` value in the Issuing Distribution Point extension SHALL be byte-for-byte identical to the encoding used in the Certificate's CRL Distribution Points extension.
3. Other GeneralNames of type `uniformResourceIdentifier` MAY be included.
4. Non-`uniformResourceIdentifier` GeneralName types MUST NOT be included.

The `indirectCRL` and `onlyContainsAttributeCerts` fields MUST be set to `FALSE` (i.e., not asserted).

Expand Down