<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks for the clarification, Ryan.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Not to argue, but I would point out that if a CA is discovered to be using an (unconstrained, unmarked) intermediate from a trusted root to issue SSL certs
without subjecting that intermediate and cert to full WebTrust/ETSI audit coverage – that would be a major violation of the Chrome and Firefox root program rules. True, you would only discover that violation after the fact – but that’s the same as if the
CA marked the intermediate as “usable for SSL” and then failed to subject it and EE certs to CA’s audit regime. In both cases, the browsers would find out about the violation long after the fact.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Given it’s a violation in both cases, and browsers will find out late in both cases – what is the advantage in requiring the intermediates to be marked?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It seems the browsers have to come up with effective sanctions or other measures against the non-complying CA in both cases…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Wednesday, November 05, 2014 9:38 AM<br>
<b>To:</b> Kirk Hall (RD-US)<br>
<b>Cc:</b> Gervase Markham; CABFPub<br>
<b>Subject:</b> Re: [cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Under the current audit requirements, a CA can issue an intermediate that has full power and capability of issuing trusted TLS certs, and then declare it out of scope of audit, because they don't "intend" for it to issue TLS certs.<o:p></o:p></p>
<p>This hand-wave does not require disclosure to auditors, nor to root programs, and yet still provides the same risk profile as incidents such as DigiNotar or India CCA.<o:p></o:p></p>
<p>Gerv is proposing a technical means to express this intent, so that it is clear to all parties the risk profile involved. Gerv's proposal is "opt-in" - that is, by a certain timeframe, all CAs must reissue to conform to the scheme, and anyone not conforming
to the scheme is out of scope, and UAs will be updated to require certs conform.<o:p></o:p></p>
<p>My proposal is "opt out" - by declaring every certificate transitively issued by a root to be in scope for the BRs, the burden is placed upon the CA to use technical means to exclude their "non-TLS" intermediates from being in scope. This is weaker in some
ways (it lacks the hard enforcement on the client side that Gerv proposes), but as both schemes rely on auditors, I believe they represent the same effective risk profiles.<o:p></o:p></p>
<div>
<p class="MsoNormal">On Nov 5, 2014 9:29 AM, "<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>" <<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Gerv, I'm slow on this argument, but I'm trying to figure out why markers in intermediates are important.<br>
<br>
Under the current scheme, it seems the trusted status of the root is what's important, not the status of intermediates. CAs must get WebTrust/ ETSI audits covering their operations from those roots to be trusted and included in the browser root store. The
audits are supposed to cover all (SSL) operations from that root. Ultimately, it's a binary yes/no decision on whether to keep the root in the root store based on audit results, plus compliance with other root program requirements. I suppose rogue intermediates
from the roots can also be explicitly untrusted by browsers if needed.<br>
<br>
What are the objectives of the proposals to put markers (EKUs or OIDs) in intermediates? Is it not possible to meet those objectives using the current system of trusted root / audit of all (SSL) operations from that root?<br>
<br>
Just curious.<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>] On Behalf Of Gervase Markham<br>
Sent: Monday, November 03, 2014 11:46 AM<br>
To: CABFPub<br>
Subject: [cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?<br>
<br>
Hi everyone,<br>
<br>
I wonder if the BRs should say that all non-root certs in a chain issued for SSL server use, which were issued after <date>, should have EKU id-kpServerAuth in them. Date would be, say, six months from now.<br>
<br>
This is primarily aimed at intermediates; EE certs all currently have this anyway. It would mean that, over time (years) as intermediates got replaced, we could eventually move to a position where it was entirely clear what certs were intended for Web PKI SSL
use and what certs were not.<br>
<br>
Currently, any intermediate in the world issued by a publicly-trusted root can issue for SSL, even those intermediates which are not intended for such use. This leads to numerous problems, including the question of whether such intermediates need to be covered
by a BR audit. Once this change had filtered through, it would be clear - they would not be.<br>
<br>
AIUI, EKU "chaining" (i.e. requiring an EKU to be present all the way up the chain) is not standard, but is implemented in NSS and elsewhere.<br>
<br>
I know this is a thing which only pays off in the long term, but I still think it's worth it. Does this make any sense, or have I missed something obvious? :-)<br>
<br>
Gerv<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<table class="TM_EMAIL_NOTICE"><tr><td><pre><br>
TREND MICRO EMAIL NOTICE<br>
The information contained in this email and any attachments is confidential<br>
and may be subject to copyright or other intellectual property protection.<br>
If you are not the intended recipient, you are not authorized to use or<br>
disclose this information, and we request that you notify us by reply mail or<br>
telephone and delete the original message from your mail system.<br>
</pre></td></tr></table><br>
<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</div>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>