<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-family:"Cambria","serif"'>Hi everyone, <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Cambria","serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Cambria","serif"'>One of the current discussions in the CAB Forum is the issuance of short-lived certificates. I thought I’d move the discussion over this public list for additional input. This is the proposal (which has been updated from its original post based on the comments received so far):<o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>While reviewing the baseline requirements, we noticed an odd situation where the baseline requirements permit a CA to omit any revocation information in a certificate. We also noticed that the baseline requirements don't permit the use of short-lived certificates. As discussed previously, short-lived certificates have a</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>lifecycle of about seven days. Because the lifecycle is short,</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>the risks associated with a compromised certificate are minimized, making revocation information in the certificate unnecessary. </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Because short-lived certificates</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>are highly sensitive to</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>the accuracy of a relying party's system time,</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> for fault-tolerance purposes, it is best if </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>short-lived certificates</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>have a</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> “</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>valid from”</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>date/time that pre-dates the actual date/time of issuance. Having the certificate be valid for a period of 14 days (seven on either side of the</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>issuance date) helps eliminate</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>the accuracy concerns. </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Appendix B of the baseline requirements state:</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>B. cRLDistributionPoints</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service. See Section 13.2.1 for</span></i><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span></i><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>details.</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>C. authorityInformationAccess</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the</span></i><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span></i><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2). See Section 13.2.1 for details.</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted provided that the Subscriber “staples” OCSP responses for the Certificate in its TLS handshakes [RFC4366].</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This results in an odd situation where a CA can issue a certificate without either a CRL or AIA if the customer promises to use OCSP stapling. A customer won’t serve a revoked certificate through its server, meaning the certificate can never be effectively revoked. Compare this to Appendix B of the EV Guidelines.</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>(B) cRLDistributionPoint</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension SHOULD be present and MUST NOT be marked critical. If present, it MUST contain the HTTP URL of the CA‟s CRL service. This extension MUST be present if the certificate does not specify OCSP responder locations in an authorityInformationAccess extension. See Section 11 for details.</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>(C) authorityInformationAccess</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension SHOULD be present and MUST NOT be marked critical. If present, it MUST contain the HTTP URL of the CA‟s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1).</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>An HTTP URL MAY be included for the Subordinate CA‟s certificate (accessMethod = 1.3.6.1.5.5.7.48.2)</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><i><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension MUST be present if the certificate does not contain a cRLDistributionPoint extension. See Section 11 for details.</span></i><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>To accommodate short-lived certificates and remedy this loophole,</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'>I propose we modify the baseline requirements as follows:</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>(new definition) Short Lived Certificates: A Certificate with an “Valid To” date that is seven or less days from the date of issuance and a “Valid From” date that is no more than seven days prior to the date of issuance.</span></u><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>13.1.5 Reasons for Revocation</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>If one or more of the following reasons for revocation occurs, a CA SHALL, within 24 hours, (i) revoke all affected Certificates that contain a cRLDistributionPoint or an authorityInformationAccess extension and (ii) cease issuing Short Lived Certificates to the Subscriber until none of the reasons for revocation apply.</span></u><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></u></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>13.2.2 Repository</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>The CA SHALL maintain an online 24x7 Repository that application software can use to automatically check the current status of all unexpired Certificates</span><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span></u><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>(except Short Lived Certificates)</span></u><span style='font-size:11.0pt;font-family:"Cambria","serif"'> issued by the CA. </span><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span></u><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>The CA MAY include certificate status information for Short Lived Certificates in its Repository.</span></u><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Appendix B – Certificate Extensions (Normative)<o:p></o:p></span></p><p><b><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Subordinate CA Certificates</span></b><b><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></b></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>B. cRLDistributionPoint</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension <u>MUST</u> be present <u>and </u>MUST NOT be marked critical. This extension MUST contain the HTTP URL of the CA’s CRL service. </span><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span></u><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>C. authorityInformationAccess</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>With the exception of stapling, which is noted below, this extension <u>MAY</u> be present. <u>If present, this extension </u>MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2). See Section 13.2.1 for details. </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><b><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Subscriber Certificates<o:p></o:p></span></b></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>B. cRLDistributionPoint</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service. </span><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span></u><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension MUST be present if the certificate does not specify OCSP responder locations in an authorityInformationAccess extension and the certificate is not a Short Lived Certificate. </span></u><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>C. authorityInformationAccess</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>With the exception of stapling, which is noted below,</span><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'> </span></u><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Short Lived Certificates</span></u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>, this extension MUST be present.</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'> <u> </u></span><u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>This extension MAY be present in Short Lived Certificates</span></u><span style='font-size:11.0pt;font-family:"Cambria","serif"'>. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2). See Section 13.2.1 for details. </span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p><span style='font-size:11.0pt;font-family:"Cambria","serif"'>Jeremy</span><span style='font-size:11.0pt;font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Cambria","serif"'><o:p> </o:p></span></p></div></body></html>