[Cscwg-public] MUST overridden by a MAY - Subordinate CA policies

Tim Hollebeek tim.hollebeek at digicert.com
Wed Nov 22 18:30:48 UTC 2023 

Yes, I like Bruce’s rewrite better.

 

Using MAY to describe exceptions to MUST is common in some standards (including the BRs in places), but strictly speaking it’s a violation of RFC 2119 and we should (MUST? 😊) fix them when we find them.  “MUST do X and MAY do Y instead” is just wrong.

 

A MUST requirement is an absolute requirement.  Providing a MAY for a replacement option introduces a contradiction, not an exception.

 

-Tim

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Bruce Morton via Cscwg-public
Sent: Wednesday, November 22, 2023 12:03 PM
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] MUST overridden by a MAY - Subordinate CA policies

 

Hi Martijn,

 

I agree that the language needs improvement. It might be better if the requirement was:

 

A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA MUST include one of the following:

1.	The CA/Browser Forum reserved identifier (2.23.140.1.4.2) to indicate the Subordinate CA’s compliance with these Requirements; OR
2.	The “anyPolicy” identifier (2.5.29.32.0).

 

Does that work? If so, then maybe we should also cleanup the whole section. Also, we might also consider deleting “to indicate the Subordinate CA’s compliance with these Requirements”.

 

 

Thanks, Bruce.

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org <mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Wednesday, November 22, 2023 11:07 AM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [EXTERNAL] [Cscwg-public] MUST overridden by a MAY - Subordinate CA policies

 

All,

 

CSBR section 7.1.6.3 states:

”A Certificate issued to a Subordinate CA that issues Code Signing Certificates and is an Affiliate of the Issuing CA:

1.	MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/blob/main/docs/CSBR.md%237161-reserved-certificate-policy-identifiers___.YXAzOmRpZ2ljZXJ0OmE6bzphZDZmYjdhNGUxNjE2YWYzMGY3MmJkNzdjOGUyMTNlMTo2OmZiZWE6ZmFkNDJkNDllOWM5ZTVjNjVmNmJkY2RkMzQyY2YyMmFiZjJmODJhOTFhYzY5YzNiY2VhMjZiNjQ2ZGNlMjU4MzpoOkY>  to indicate the Subordinate CA's compliance with these Requirements, and
2.	MAY contain the "anyPolicy" identifier (2.5.29.32.0) in place of an explicit policy identifier.

A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA:

1.	MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/blob/main/docs/CSBR.md%237161-reserved-certificate-policy-identifiers___.YXAzOmRpZ2ljZXJ0OmE6bzphZDZmYjdhNGUxNjE2YWYzMGY3MmJkNzdjOGUyMTNlMTo2OmQzYjQ6NGQzNTc4ZDUxOWExZDZlOTQ3M2M2YWM2MjQxMjBjZDZjMzBlOWNiODA4MDZhODNiYmYzZTM1YmQ5NWJiNDY3NjpoOkY>  to indicate the Subordinate CA’s compliance with these Requirements, and
2.	MAY contain the “anyPolicy” identifier (2.5.29.32.0) in place of an explicit policy identifier.”

I find there’s a few issues with this:

*	“MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/blob/main/docs/CSBR.md%237161-reserved-certificate-policy-identifiers___.YXAzOmRpZ2ljZXJ0OmE6bzphZDZmYjdhNGUxNjE2YWYzMGY3MmJkNzdjOGUyMTNlMTo2OjhiNjM6MzI3NzY3ZjlhMDc3YTIyNzZjOWY3MjgxNjA1YjVjZDFhODk4Y2NmNzBkYzA1MTdiNThkNTgxOGY3ZmE2MTliYTpoOkY> ”, seems to state there’s only one policy OID to use, while in fact there are 3 in the named section, 2 which are for code signing certificates. This is a minor issue though and could be fixed in a cleanup ballot.
*	More concerning I find the MUST and MAY language. If we take the language related to CA Certificates for Code Signing Certificates, what does this language actually state? Should this be interpreted as:

*	MUST include a CABF OID and MAY additionally contain the “anyPolicy” OID.
or does it state:
*	MUST include either a CABF OID or the “anyPolicy” OID?

I would like to think the intent here is to allow CA Certificates with just the “anyPolicy” OID, but at the same time, a MAY overriding a MUST, seems counterproductive.

Any thoughts on this?

Regards,

Martijn

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231122/c8942630/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5231 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231122/c8942630/attachment-0001.p7s>

More information about the Cscwg-public mailing list