<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Kelvin,<br>
<br>
On 10/8/2014 12:40 AM, Kelvin Yiu wrote:<br>
</div>
<blockquote
cite="mid:1024a2bd4ba4495098f5337a4b35c502@BY2PR0301MB0678.namprd03.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";}
p.Textodeglobo, li.Textodeglobo, div.Textodeglobo
{mso-style-name:"Texto de globo";
mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t have a problem if a CA chooses to use the BR OIDs
instead of their own OIDs to identify BR related certificate
policies as long as it is consistently used in the
certificate chain. My concern is with cases that do not
follow RFC 5280. For example, when BR OIDs are added to end
entity certificates in addition to CA specific OIDs when the
CA certificate explicitly contain only CA specific OIDs.
<o:p></o:p></span></p>
</div>
</blockquote>
I realized this was a real use case where a single CP presents
different types of certificates and adding a xV OID makes it just
more clear. Are you saying this doesn't follow RFC 5280?<br>
<br>
Thanks,<br>
M.D. <br>
<blockquote
cite="mid:1024a2bd4ba4495098f5337a4b35c502@BY2PR0301MB0678.namprd03.prod.outlook.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kelvin<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
Ben Wilson [<a class="moz-txt-link-freetext" href="mailto:ben.wilson@digicert.com">mailto:ben.wilson@digicert.com</a>]
<br>
<b>Sent:</b> Tuesday, October 7, 2014 12:56 PM<br>
<b>To:</b> Kelvin Yiu; Dean Coclin;
<a class="moz-txt-link-abbreviated" href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>; <a class="moz-txt-link-abbreviated" href="mailto:sleevi@google.com">sleevi@google.com</a>;
<a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t think that the use of a policy OID in a certificate
necessarily “ignores” “rules” around policy processing in
RFC5280. I don’t think anyone has requested that we
require a policy constraints extension. We’re only talking
about putting a policy OID in a BR certificate, along with
any other policy OIDs the CA cares to insert. The primary
purpose of the CP OID is to assert the policy under which
the certificate has been issued. It is not to build a path
up the chain or constrain processing—those are secondary
considerations. I agree about the necessity of putting the
CP OID in your CPS and of being audited for compliance with
the policy (the BRs and EVGs acknowledge that a
point-in-time / readiness audit would be acceptable). <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
BRs is the closest thing to a Certificate Policy that
currently exists. It is “”A named set of rules that
indicates the applicability of a certificate to a particular
community and/or class of application with common security
requirements.” Section D.7.1.6 of the PKI Assessment
Guidelines states, “The certificate policies extension is
intended to convey policy information or references to
policy information. Specifically, a PKI can place the
object identifier of a certificate policy within the
certificate policies extension. The object identifier can
enable a relying party to configure its systems to cause its
software to look for the OID of an acceptable certificate
policy, permit the transaction to continue if the system
finds the OID of an acceptable CP in the certificate, and
halt the transaction if it does not.” So while it enables
functionality, it doesn’t require it, in case that is a
browser concern.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Kelvin Yiu<br>
<b>Sent:</b> Tuesday, October 7, 2014 1:03 PM<br>
<b>To:</b> Dean Coclin; <a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>;
<a moz-do-not-send="true"
href="mailto:sleevi@google.com">sleevi@google.com</a>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">
public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">FWIW,
Microsoft provides an API on Windows 7 and later to
determine whether a certificate is EV or not, according to
Microsoft’s root CA program.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a
moz-do-not-send="true"
href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa377163%28v=vs.85%29.aspx">http://msdn.microsoft.com/en-us/library/windows/desktop/aa377163(v=vs.85).aspx</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
think it is a bad idea to assert BR OIDs for xV compliance
by ignoring the rules around certificate policies processing
in RFC 5280. While I understand the desire to have a source
of information to identify xV certificates, the value is
questionable to me unless the information is also in the CPS
and the appropriate audit has taken place.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kelvin<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Dean Coclin<br>
<b>Sent:</b> Tuesday, October 7, 2014 9:12 AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>;
<a moz-do-not-send="true"
href="mailto:sleevi@google.com">
sleevi@google.com</a>; <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Inigo,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yes,
I did create such a sheet and I’ve enclosed it here. And I
think it proves my point that the current situation
exacerbates the problem, making it difficult for one to
programmatically determine what type of cert they are
encountering. <o:p>
</o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a>
[<a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net">mailto:i-barreira@izenpe.net</a>]
<br>
<b>Sent:</b> Tuesday, October 07, 2014 12:44 AM<br>
<b>To:</b> Dean Coclin; <a moz-do-not-send="true"
href="mailto:sleevi@google.com">sleevi@google.com</a>;
<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> RE: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean,
time ago you created an Excel sheet with those CAs that use
their own OIDs for DV and OV, similar to what was done with
EV. The intention of that list was to also have another
“source” of information for considering those certs as DV or
OV for the browsers in case they need it.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">BTW,
Izenpe uses their own OIDs plus the CABF ones.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black"
lang="ES-TRAD">Iñigo Barreira</span></b><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black"
lang="ES-TRAD"><br>
Responsable del Área técnica<br>
<a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net">i-barreira@izenpe.net</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif";color:black"
lang="ES-TRAD">945067705</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES-TRAD"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES-TRAD"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES"><img id="Imagen_x0020_1"
src="cid:part17.06060303.06080605@ssc.lt"
alt="Descripción: cid:image001.png@01CE3152.B4804EB0"
border="0" height="111" width="585"></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES-TRAD"><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:9.75pt"><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"
lang="ES">ERNE! Baliteke mezu honen zatiren bat edo mezu
osoa legez babestuta egotea. Mezua badu bere hartzailea.
Okerreko helbidera heldu bada (helbidea gaizki idatzi,
transmisioak huts egin) eman abisu igorleari, korreo honi
erantzuna. KONTUZ!</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"
lang="ES"><br>
</span><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"
lang="ES">ATENCION! Este mensaje contiene informacion
privilegiada o confidencial a la que solo tiene derecho a
acceder el destinatario. Si usted lo recibe por error le
agradeceriamos que no hiciera uso de la informacion y que
se pusiese en contacto con el remitente.</span><span
style="font-family:"Calibri","sans-serif";color:navy;mso-fareast-language:ES-TRAD"
lang="ES"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES">De:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>En nombre de </b>Dean Coclin<br>
<b>Enviado el:</b> lunes, 06 de octubre de 2014 21:17<br>
<b>Para:</b> Ryan Sleevi; <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Asunto:</b> Re: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So
I get the part that Chrome (and likely other browsers in the
CA/B forum) don’t intend to distinguish DV and OV certs in
any way. Got that. Not a point of contention. In fact, I
knew that when I started this thread. So no need to go down
that path anymore. Having different OIDs does not oblige a
browser do anything.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
would have expected more negative commentary from CAs but so
far there has been none. And only 1 browser has chimed in.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However,
browsers are not the only application that use SSL
certificates. There are others out there and I distinctly
recall a conversation about 2-3 years ago where Paypal (a
CA/B member) explicitly asked that these OIDs be mandatory.
Brad stated that their security group had deemed DV certs to
be a security threat to their ecosystem and wanted an easy
programmatic way to distinguish them. At the time, there was
some pushback (I don’t believe from browsers) and the OIDs
ended up being optional.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It
looks as if some CAs do use OIDs in their DV and OV certs
but some don’t use the CA/B Forum OIDs (rather their own).
This makes it difficult to apply a uniform decision process.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Certs
conforming to policy and issued correctly are one aspect
that some folks are looking for. The type of certificate is
another. One that has not been vetted is different from one
that has some vetting completed (other security issues being
equal). Perhaps that benefit is not tangible to some but it
certainly is to others. I can spew some stats on DV cert use
and fraud but that will just muddle this thread so I’ll save
it for another day. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Why
do browsers care one way or the other if other parties want
to make this distinction? The CA/B Forum has defined
different baseline standards for these types of certs. Why
not make transparency around those standards easy for those
that want to draw a distinction?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Certainly
would love to hear from some other interested parties.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ryan Sleevi
<a moz-do-not-send="true"
href="mailto:[mailto:sleevi@google.com]">[mailto:sleevi@google.com]</a>
<br>
<b>Sent:</b> Thursday, October 02, 2014 8:56 PM<br>
<b>To:</b> Dean Coclin<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Oct 2, 2014 at 5:31 PM, Dean
Coclin <<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
for the response and pointers. I’ve read through
the threads but still have additional
questions/comments. I’ll readily admit that I
don’t understand all the commentary in the Mozilla
threads so I apologize if these questions sound
somewhat naïve. Happy to be educated:</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">You've
heard repeatedly from several browsers about an
explicit non-goal of distinguishing DV and OV. As
the Forum is comprised of CAs and Browsers, do we
have any Browsers that wish to make such a
distinction? If not, it would be wholly
inappropriate for the Forum to require it.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>I
haven’t heard of any browsers that want to make
that distinction (yet). It is my understanding
that the Forum BRs do require an OID for EV certs.
So why is it “inappropriate” for the Forum to
require OIDs for DV/OV?</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Browsers have agreed to make a
distinction between EV and !EV, so have required there
be a way to detect that.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Browsers have not agreed that there
is a distinction between DV or OV, nor is there a need
to detect the difference.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That the browsers have required
(effectively all stores at this point, AFAIK) is that
the root program members be BR compliant. So any new
certs issued (technically, independent of the
notBefore, and we know CAs regularly backdate from
time of issuance, but it's a rough heuristic) are, by
definition, BR compliant.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If
there are non-browser relying parties interested
in such distinctions, the CA can always provide
such distinctions themselves.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>Can
you elaborate on what you mean by this? If
there’s another way to accomplish the end
result, happy to explore further. But it would
have to be uniform among all CAs that issue
these certs.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don't see why it needs to be
uniform.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
The requirement as to what shape it takes is dictated
by the relying party applications.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The browsers, as relying party
applications, do not and have not yet cared about the
shape of DV and OV, and as per our recent F2F, aren't
really keen to either.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So having the browsers dictate the
shape of the solution seems unnecessary, and an issue
for these relying party applications (e.g. Netcraft)
to work with CAs.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
someone very keen on programatic checks and
detection for misissuance, there's no question
that this would NOT meaningfully help address the
concerns we see.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>I
wasn’t suggesting that this addition would in
any way help you with your programmatic checks
for mis-issuance. Rather, it would make the
task for organizations like Netcraft, EFF or
others that tabulate statistics on various types
of certificates easier to do. Is that not the
case?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Not really. These organizations are
interested in the same discussions and distinctions we
are - what are the certificates being issued and do
they conform to the policies that they're supposed to.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We've established that there's no
'uniform' definition of what constitutes OV, only that
the BR requires certain vetting steps for certain
subject fields that are OPTIONAL. CAs have taken these
and marketed them as OV, but there's no such
distinction as a level, nor a particular profile
spelled out in the appendices as to what constitutes a
"DV" vs "OV".<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If that was the only degree of
distinction required, it's just as easy as checking
the Subject fields for any of the OPTIONAL fields.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">That
is, there would need to be an OID _per revision_
of the BRs, to indicate "which" version of the BRs
something was complying to. <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>Fully
admit that I don’t understand how this works.
But wouldn’t that also be the case for EV (which
currently requires this OID)?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">YES! And it's one of the many
reasons why EV is somewhat muddled for programatic
checks or distinctions. And yet this is also necessary
because any change in policy, by definition,
necessitates a change in OID to (meaningfully) reflect
that. And that constitutes rolling a new hierarchy
(and updating browsers' lists of recognized EV OIDs)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m
just trying to suggest a way that someone can
say: X is a DV cert, Y is an OV cert, Z is an EV
cert without a doubt. If OIDs are not the place
to do that, is there another mechanism
available?<br>
I’m sure you are familiar with Ryan Hurst’s blog
on how difficult the task currently is.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am (you're talking about <a
moz-do-not-send="true"
href="http://unmitigatedrisk.com/?p=203">
http://unmitigatedrisk.com/?p=203</a> in
particular). But I'm also not supportive of
encouraging a distinction that we neither recognize
nor have plans to recognize, and especially not
supportive of mandating such distinctions.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is especially true, as these
distinctions don't offer any tangible security
benefits to the Web, as previously discussed.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If we go to the point of mandating
anything additional in certificates, which requires a
variety of changes in processes, profiles, and CPSes,
I want it to have meaningful security value. This
change - which, as has been shown by the development
of audit standards and then the eventual incorporation
of those audit standards into the root programs, and
then FINALLY the
<b>enforcement</b> of those audit standards of the
root programs - would take several years, at BEST, to
deploy, and would communicate nothing of actionable
value. It's a hard sell.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
Thanks,<br>
Dean</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Thursday, October 02, 2014 3:37 PM<br>
<b>To:</b> Dean Coclin<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
Thu, Oct 2, 2014 at 10:33 AM, Dean
Coclin <<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com"
target="_blank">Dean_Coclin@symantec.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Further
to today’s discussion on our call,
I’d like to get more feedback on a
proposal to make a unique
standardized OID mandatory for DV
and OV certificates in the Baseline
Requirements. Currently we have a
mandatory OID for EV certificates
but optional for OV and DV. This
makes things difficult for at least
two groups of constituents:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p>1.<span style="font-size:7.0pt">
</span>Relying parties that would
like to distinguish between these
certificates<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">You've
heard repeatedly from several browsers
about an explicit non-goal of
distinguishing DV and OV. As the Forum
is comprised of CAs and Browsers, do
we have have any Browsers that wish to
make such a distinction?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If
not, it would be wholly inappropriate
for the Forum to require it. If there
are non-browser relying parties
interested in such distinctions, the
CA can always provide such
distinctions themselves.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p>2.<span style="font-size:7.0pt">
</span>Analysts that report on SSL
certificate data who have had to
issue revised reports because of
cert misclassification<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
mentioned on the call, this has been
discussed with Mozilla in the past - <a
moz-do-not-send="true"
href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ"
target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
someone very keen on programatic
checks and detection for misissuance,
there's no question that this would
NOT meaningfully help address the
concerns we see.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">That
is, there would need to be an OID _per
revision_ of the BRs, to indicate
"which" version of the BRs something
was complying to. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I
would hope that <a
moz-do-not-send="true"
href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ"
target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ</a>
would capture some of these concerns
more fully.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Finally,
to do anything meaningful with this in
all major clients, it would require
that CAs redo their certificate
hierarchy, as policy OIDs are
inherited. That's a silly thing,
especially when CAs are still
struggling to migrate from SHA-1 to
SHA-256 in their intermediates.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">My
proposal is for CAs to put in OID
X if it’s a DV certificate and OID
Y if it’s an OV certificate.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
Rick reminded me on the call, we
currently have something like this
for EV certificates (except that
CAs are free to use the standard
OID or define one of their own).<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’d
like to hear pros/cons of this.
Ryan S indicated that Google would
not support such a proposal but we
didn’t have time to discuss the
reasons.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’m
sure there are both technical and
policy reasons. Personally I’d
like to focus on the latter but
remarks on both are welcome. This
proposal doesn’t require anyone to
do anything with this data (i.e
relying parties can choose whether
or not to utilize it).<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
Thanks,<br>
Dean<o:p></o:p></p>
<p> <o:p></o:p></p>
<p> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>