[Cscwg-public] MUST overridden by a MAY - Subordinate CA policies

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Sun Dec 3 12:43:04 UTC 2023 


On 22/11/2023 8:16 μ.μ., Bruce Morton via Cscwg-public wrote:
>
> I think a separate ballot is required. An alternative would be a 
> cleanup ballot, but I am not sure we have much content for a cleanup 
> ballot.
>
> Also, this information is missing from 
> https://cabforum.org/object-registry/:  codesigning-requirements(4) 
> timestamping(2) — 2.23.140.1.4.2  (Timestamp Certificate issued in 
> compliance with the Code Signing Baseline Requirements). Who can 
> update this page?
>

Done.
Dimitris.
>
> Thanks, Bruce.
>
> *From:*Martijn Katerbarg <martijn.katerbarg at sectigo.com>
> *Sent:* Wednesday, November 22, 2023 1:01 PM
> *To:* Bruce Morton <Bruce.Morton at entrust.com>; cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] Re: MUST overridden by a MAY - Subordinate CA 
> policies
>
> Hey Bruce,
>
> You’re pretty much taking the proposed language in my head and putting 
> it on paper 😊. Same for the listing above, for Code Signing CA 
> Certificates.
>
> Do we think a separate ballot is more appropriate for this?  I’d be a 
> minor one, then again, there’s no shortage of ballot numbers to use.
>
> Regards,
>
>
> Martijn
>
> *From: *Bruce Morton <Bruce.Morton at entrust.com>
> *Date: *Wednesday, 22 November 2023 at 18:03
> *To: *Martijn Katerbarg <martijn.katerbarg at sectigo.com>, 
> cscwg-public at cabforum.org <cscwg-public at cabforum.org>
> *Subject: *RE: MUST overridden by a MAY - Subordinate CA policies
>
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
> Hi Martijn,
>
> I agree that the language needs improvement. It might be better if the 
> requirement was:
>
> A Certificate issued after 31 March 2022 to a Subordinate CA that 
> issues Timestamp Certificates and is an Affiliate of the Issuing CA 
> MUST include one of the following:
>
>  1. The CA/Browser Forum reserved identifier (2.23.140.1.4.2)to
>     indicate the Subordinate CA’s compliance with these Requirements; OR
>  2. The “anyPolicy” identifier (2.5.29.32.0).
>
> Does that work? If so, then maybe we should also cleanup the whole 
> section. Also, we might also consider deleting “to indicate the 
> Subordinate CA’s compliance with these Requirements”.
>
> Thanks, Bruce.
>
> *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Martijn Katerbarg via Cscwg-public
> *Sent:* Wednesday, November 22, 2023 11:07 AM
> *To:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Cscwg-public] MUST overridden by a MAY - 
> Subordinate CA policies
>
> All,
>
> CSBR section 7.1.6.3 states:
>
> ”A Certificate issued to a Subordinate CA that issues Code Signing 
> Certificates and is an Affiliate of the Issuing CA:
>
>  1. MUST include the CA/Browser Forum reserved identifier specified in
>     Section 7.1.6.1
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0>
>     to indicate the Subordinate CA's compliance with these
>     Requirements, and
>  2. MAY contain the "anyPolicy" identifier (|2.5.29.32.0|) in place of
>     an explicit policy identifier.
>
> A Certificate issued after 31 March 2022 to a Subordinate CA that 
> issues Timestamp Certificates and is an Affiliate of the Issuing CA:
>
>  1. MUST include the CA/Browser Forum reserved identifier specified in
>     Section 7.1.6.1
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0>
>     to indicate the Subordinate CA’s compliance with these
>     Requirements, and
>  2. MAY contain the “anyPolicy” identifier (|2.5.29.32.0|) in place of
>     an explicit policy identifier.”
>
> I find there’s a few issues with this:
>
>   * “MUST include the CA/Browser Forum reserved identifier specified
>     in Section 7.1.6.1
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0>”,
>     seems to state there’s only one policy OID to use, while in fact
>     there are 3 in the named section, 2 which are for code signing
>     certificates. This is a minor issue though and could be fixed in a
>     cleanup ballot.
>   * More concerning I find the MUST and MAY language. If we take the
>     language related to CA Certificates for Code Signing Certificates,
>     what does this language actually state? Should this be interpreted as:
>
>       o MUST include a CABF OID and MAY additionally contain the
>         “anyPolicy” OID.
>         or does it state:
>       o MUST include either a CABF OID or the “anyPolicy” OID?
>
> I would like to think the intent here is to allow CA Certificates with 
> just the “anyPolicy” OID, but at the same time, a MAY overriding a 
> MUST, seems counterproductive.
>
> Any thoughts on this?
>
> Regards,
>
> Martijn
>
> /Any email and files/attachments transmitted with it are intended 
> solely for the use of the individual or entity to whom they are 
> addressed. If this message has been sent to you in error, you must not 
> copy, distribute or disclose of the information it contains. _Please 
> notify Entrust immediately and delete the message from your system._/
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231203/ad496e07/attachment-0001.html>

More information about the Cscwg-public mailing list