(Draft Ballot) Browser Alignment #10
Conversation
sleevi
force-pushed
the
2019-10-Browser_Alignment
branch
from
85d001c
to
5ed2a27
Compare
sleevi
changed the title
Highlighted in #10 (comment) , but more specifically, the Microsoft requirement states (emphasis added) Issuing CA certificates that chain to a participating Root CA must be constrained to **a single EKU** (e.g., separate Server Authentication, S/MIME, Code Signing, and Time Stamping uses.
|
I think the OCSP signing EKU should be permitted in CA certificates to permit direct signing of OCSP responses. What was the reason for adding that to the excluded list of EKUs? |
|
For CRL reasons you specify some (all?) Reason Codes that are not permitted:
That does not appear to be an exhaustive list of codes that MUST NOT be used, because removeFromCRL should never be on the list (perhaps by definition it can't be in a CRL, not sure). Instead of listing what cannot be in the CRL, should we list the values that are permitted from RFC 5280? This is the list. Are 1-5 the only ones we'd ever want to see, and 2 only for CA certificates? |
The EKU isn't required for signing OCSP responses directly from the issuer. (Reference: mozilla.dev.security.policy) Instead, the Delegated OCSP responders are only permitted to have a single EKU, |
I'm not sure I follow. Are you suggesting this can't be used for an OCSP response, a CRL response, or both? It's permitted for use in CRL, even when The BRs haven't forbidden Delta CRLs from being used, so I left it in. I think you're getting to the point of where I was going with a CRL/OCSP profile, which would clarify the expectations here, but I was thinking of that as more future work.
For better or worse, root programs don't express prohibitions on While I'm definitely a fan of a prescriptivist approach to CRL reasons, and would like to see a ballot addressing that (and the broader profile), I was mostly only trying to capture the existing requirements here. |
|
In light of the preceding bullet, I think this is confusing: "The reasonCode extension MUST NOT be present for unspecified revocations. RFC 5280 places this as a SHOULD, due to requiring an additional 12 bytes to encode the extension that is semantically equivalent to omitting it. The combination of requiring meaningful revocation reasons and wanting to ensure reasonably-sized CRLs means this value MUST NOT be present. (Section 7.2.2 (a))" Is this provision just for End Entity CRLs? Also, this is confusing - "On 2020-09-01T00:00:00Z, the validity period for Subscriber certificates MUST be less than or equal to 398 days, and SHOULD be less than or equal to 397 days." Why is the "SHOULD" phrase there? |
The SHOULD is there to formally note the potential complications presented by UAs strictly enforcing validity periods which can include leap-seconds or similar "fuzzy" time increments. If a CA issues a certificate for the absolute maximum of 398 days, the risk is far greater than if they issue a certificate for an absolute maximum of 397 days, hence CAs should issue for a maximum below the maximum enforced by browsers or OSes. |
|
Is there a prohibition on having a Sub CA where the EKU is just clientAuth? See: "For Subordinate CA Certificates that are not used to issue TLS certificates, then the values id-kp-serverAuth [RFC5280] and/or id-kp-clientAuth [RFC5280] MUST NOT be present." |
This is in the ballot description, not the text. Are you saying you found Section 7.2.2(a) confusing? Or that you found the description confusing? This section describes two separate requirements. One is a requirement for how to encode a CRL reason - in any CRL. The other is a requirement that you must provide a reason for an intermediate. These requirements, while separate, are meant to address confusion about CRL reasons, such as a CA thinking they could meet the first obligation by encoding "unspecified"
Beyond @clintwilson's remarks, this is clearly stated in Apple's policy: https://support.apple.com/en-us/HT211025 |
Thanks for pointing that out. That was a typo that should have gotten fixed in 45208d9 which @clintwilson had spotted. This is due to our existing (BRs) language around technically constrained sub-CA making it a certificate that only contains |
We agree. The OCSP-signing EKU is not prohibited by current Microsoft policy. |
I’m afraid you’re mistaken. I encourage you to cite what you believe permits it, but the current language is clear at https://aka.ms/rootcert 3.A.8
Of course, the current language only prohibits it in certificates used to issue TLS certificates. This is the only implementation that makes sense, and matches and aligns with existing practices of Mozilla.
So there’s no need to permit joint ocspSigning and TLS. OcspSigning does not require EKU chaining. So there’s no plans to change this language, unless I’m missing an important caveat of policy or RFC6960 (and if so, please cite). |
Address the comments from SecureTrust by making it clearer that the requirements apply to both IDNA2003 and/or IDNA2008, by incorporating RFC 8399. Address the comments from Mozilla by clarifying that as far as the Baseline Requirements go, this is not intended to require revocation of existing, non-TLS-capable CAs, but is intended to ensure that all newly issued certificates comply with this requirement. Any CA which has a non-compliant configuration may need to transition to a new issuing intermediate, and thus an effective date of 2020-09-30 is provided to allow for key ceremonies to be performed.
Highlighted in #10 (comment) , but more specifically, the Microsoft requirement states (emphasis added) Issuing CA certificates that chain to a participating Root CA must be constrained to **a single EKU** (e.g., separate Server Authentication, S/MIME, Code Signing, and Time Stamping uses.
sleevi
force-pushed
the
2019-10-Browser_Alignment
branch
from
91125b8
to
0090396
Compare
To be fair, the root program change was made before the Bratislava update, so there was even greater risk of non-compliance ;) However, as noted, the effective date here is intentional, because it permits scheduling and generating new CRLs. Consider alternatives, such as "For revocations after {date X}". Such a requirement is ambiguous, such as whether it applies based on the revocationDate within the CRL, when the ceremony is performed, when the repository is updated, etc. This was trying to pick the least ambiguous date, and based on the existing requirement wording. |
The requirements on Audit Report content are updated to align with the requirements placed by Mozilla. The requirements on Audit Report delivery are updated to align with the requirements placed by Microsoft. The requirements on OCSP responses are updated to align with the requirements placed by Microsoft. The requirements on certificatePolicies for Subscriber Certificates are updated to align with the requirements placed by Microsoft.
Microsoft Policy requires that OCSP MUST be supported. This removes the exception for stapling.
Both Microsoft and Mozilla forbid the use of DSA. Mozilla forbids the use of NIST P-521 and requires that the hash algorithm for ECC keys matches in output length as the key size (e.g. P-256 = ecdsa-with-sha256).
RFC 5280 requires that authorityKeyIdentifier MUST be present and MUST contain a keyIdentifier field for all certificates except self-signed certificates intended as trust anchors. Mozilla further requires that authorityKeyIdentifiers not simultaneously include the key ID and the issuer's name and serial number.
Clarify Section 7.1.4.1 to better express the rules in RFC 5280, Section 4.1.2.4 and 4.1.2.6. In general, RFC 5280 requires that new certificates MUST use the UTF8String or PrintableString encodings within DirectoryString subject names. There are exceptions given, for backwards compatibility, where the CA MAY use the pre-existing encoding. This aligns the MAY in RFC 5280 with the MUST in the implementations of Mozilla, Apple, and Google. The existing text tried to capture this MUST, but in a way that was ambiguous. Some CAs interpreted the language as reiterating the MAY, rather than expressing the MUST. The objective is to ensure that the entire contents of the Subject field SHOULD be memcmp()-able with the entire contents of the Issuer field. RFC 2459 defined a subset of the algorithm from X.500, only requiring case folding and whitespace normalization for PrintableString, which RFC 3280 continued. While RFC 5280 expanded this (including the StringPrep profile), implementations have not adopted this. However, the situations (in RFC 5280-and-predecessors) where these apply do not apply in the context of the Baseline Requirements; for example, there is no need for interoperability with LDAP identities in TLS server certificates. A CA can easily comply with this by ensuring 1) They don't issue new certificates for existing Subjects, generally. When they do (e.g. for cross-signing), ensure it's byte-for-byte identical 2) For new certificates - Issuing CAs, Root CAs, or Subscriber - they ensure they always use UTF8String or PrintableString (recommended: UTF8String only)
Update the audit criteria to align with the current versions used by WebTrust.
This updates the requirement on the CP/CPS to make an explicit annual versioning scheme required, as required by Mozilla. Related, this updates the Audit Report requirements to align with the current Microsoft and CCADB requirements, by removing the requirement for CAs to document explicitly which CAs are out of scope. It also aligns the language for "publicly accessible" by unhyphenating it, as well as adding Microsoft's requirement that the Audit Report be provided as a text-searchable PDF, in line with other industry's requirements on electronic document submission.
This incorporates the changes from the Mozilla Root Store Policy 2.7, which explicitly enumerates the permitted encodings for algorithms. Major changes to the BRs: - Explicitly enumerates permitted RSA key algorithms - Forbids the use of P-521 - Explicitly requires the signature+hash algorithm choice is appropriate for the key size - Explicitly enumerates the permitted cases for the use of SHA-1, such as only permitting its use with RSA. Major differences from Mozilla requirements: - The main difference is in the set of exceptions permitted for the issuance of SHA-1 Certificates (which presently precludes Certificates). Mozilla only permits the serial number changing if the new serial number is the same length as the old serial number. The BRs require that serial numbers are unique (RFC 5280), as well as requires that serial numbers contain at least 64-bits of entropy. Regardless of whether the Mozilla policy is interpreted as relaxing these requirements of the BRs, this change restructures the exception from how Mozilla worded it, to try and make it clearer that SHA-1 issuance does not supercede other requirements, including that the 'new' certificate must fully conform to the BRs.
Align with Microsoft's latest root program policy, which requires the CA indicate the reason for revocation if the revoked certificate is an intermediate certificate. To avoid terminology confusion, this makes the requirement apply for Root CA and Subordinate CA Certificates alike. This incorporates RFC 5280's SHOULD NOT for unspecified (0) as a MUST NOT. It also incorporates the prohibition on certificateHold, by way of Section 4.9.13. This clarifies for OCSP responses that the reason MUST be indicated via the RevokedInfo. RFC 6960 permits any CRL entry extension to also appear as an extension in the singleResponses field (see RFC 6960, Section 4.4.5), thus it's possible to omit from the RevokedInfo and instead stash as an extension
Highlighted in #10 (comment) , but more specifically, the Microsoft requirement states (emphasis added) Issuing CA certificates that chain to a participating Root CA must be constrained to **a single EKU** (e.g., separate Server Authentication, S/MIME, Code Signing, and Time Stamping uses.
Align the BRs with Apple requirements (https://support.apple.com/en-us/HT211025) This aligns the normative language in 6.3.2 to a clearer form (opting for "MUST NOT ... greater than" instead of "MUST ... no greater than") and the formatting of 'validity period' to the defined term "Validity Period" Co-authored-by: sleevi <ryan.sleevi@gmail.com>
Add in the fingerprint formatting requirements from the CCADB policy at https://www.ccadb.org/policy at Mozilla's request
As requested by Clint Wilson at Apple, avoid ambiguity in relevant dates by clarifying that the effective datetime is the 00:00:00 on the effective date in UTC. An alternative approach would have been to use ISO 8601-1 timestamps, but that was seen as too repetitive and may cause CAs to overlook the actual date.
This was a wording mangling from how "technically constrained sub-CAs" are defined versus how the Mozilla policy defined things. This aligns with the Mozilla policy, and, presumably, the Microsoft policy.
Merge in feedback from Microsoft based on their Root Program and upcoming changes to their Root Program Policy * The OCSP changes are partially reverted * Kept: A minimum validity period (eight hours) * Removed: The maximum validity of seven days is now restored to the existing 10 days * Changed: For validity periods < 16 hours, refresh must be 1/2 the interval. For validity > 16 hours, refresh must be the earlier of 4 days (existing BRs) or 8 hours before expiration (new) * P-521 restrictions (from the Mozilla Root Program) are removed * Microsoft would like to keep P-521 for the time being. It is still prohibited by Mozilla * Explicitly clarify that id-kp-clientAuth is allowed to be included in TLS server certificates and in TLS subordinate CAs. * Existing language meant it was "SHOULD NOT"; new language is that it MAY. * Clarify the Audit Period language by using the defined term * Clarify that ETSI audits MUST make reference to the applicable CA/Browser Forum documents
This updates to Mozilla policy, based on the mailing list discussion, to incorporate Section 5.2 of https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices to explicitly forbid Subscriber Key Generation for TLS server certificates. It also updates the Subscriber EKU to reflect that beyond requiring id-kp-serverAuth/id-kp-clientAuth, the value anyExtendedKeyUsage is explicitly prohibited.
Clarify that the new requirements for Audit Reports are triggered based on what dates were under audit. This allows audits that have started before the ballot's Effective Date to continue to adhere to the existing rules, while ensuring that new audits (effectively, audits started after the effective date) follow the new requirements. Rather than create a self-referential date, which then would need to be updated in a subsequent ballot, simply use August 1 as a stand-in for the effective date.
As these may require a ceremony to produce new CRLs, particularly for intermediate certificates, the effective date for the BRs is set as 2020-09-30. Root Programs MAY impose earlier effective dates, at their discretion.
Certificate Policies may require establishing a new issuing intermediate, if the CA assigned a policy OID to the intermediate and did not include one or more CA/Browser Forum OIDs. Because this may require a ceremony, the effective date is 2020-09-30.
Address the comments from SecureTrust by making it clearer that the requirements apply to both IDNA2003 and/or IDNA2008, by incorporating RFC 8399. Address the comments from Mozilla by clarifying that as far as the Baseline Requirements go, this is not intended to require revocation of existing, non-TLS-capable CAs, but is intended to ensure that all newly issued certificates comply with this requirement. Any CA which has a non-compliant configuration may need to transition to a new issuing intermediate, and thus an effective date of 2020-09-30 is provided to allow for key ceremonies to be performed.
While it affects how subjectAltNames/Generalnames are handled, it doesn't change the comparison algorithm for DNs.
Historically, Section 7.1.2.2 required CAs MUST support both CRLs and OCSP for Subordinate CA certificates (that is, the Sub-CA certificates themselves). An exception was given for stapling, but that exception largely did not make sense, because support for OCSP Multi-Staple is rare, although TLS 1.3 made that easier. Existing Root Programs prefer CRLs (Mozilla, Apple, Google) for Sub-CAs, and either make no statement about OCSP, or make it optional so that a CA only needs to support one of either OCSP or CRLs (Microsoft). As requiring OCSP for a Sub-CA effectively necessitates OCSP delegated signing, due to wanting to avoid having to periodically access root key material, and since OCSP delegated signing is not necessarily desirable, this makes OCSP support a MAY level for Sub-CAs, relying on the existing MUST level provision for CRLs.
sleevi
force-pushed
the
2019-10-Browser_Alignment
branch
from
fcd187a
to
eb916c9
Compare
The "anyExtendedKeyUsage" restriction for Subscriber certificates would effectively happen before the IP review period had concluded. Rather than have it retroactive, make it "effective immediately" Also, address some wording suggestions from @dzacharo to be clearer about the prohibition on Subscriber Key Generation.
The effective date for EV was accidentally left off. This avoids a repeat of Ballot 193 / Ballot 197.
This is now an official ballot at cabforum#195