<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<style>

<!--

#pfptBannerp6p0qmj

        {display:block!important;

        visibility:visible!important;

        opacity:1!important;

        background-color:#D0D8DC!important;

        max-width:none!important;

        max-height:none!important}

-->

</style>

</head>

<body>

<table cellspacing="0" cellpadding="0" border="0" style="background:#EFF6FC; width:100%; border-radius:10px; border-collapse:separate; border:1px; border-radius:6px; margin-bottom:12px">

<tbody style="font-size:20px">

<tr>

<td style="padding:5px 15px">

<table style="width:100%">

<tbody style="">

<tr>

<td>

<table style="border-spacing:0">

<tbody style="">

<tr>

<td><img alt="like" src="https://outlook-1.cdn.office.net/assets/reaction/like.png" style="height:25px; width:25px">

</td>

<td><span style="font-weight:bold; padding-left:3px">Sven Rajala</span> <span>reacted to your message:</span>

</td>

</tr>

</tbody>

</table>

</td>

</tr>

</tbody>

</table>

</td>

</tr>

</tbody>

</table>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Servercert-wg <servercert-wg-bounces@cabforum.org> on behalf of Ryan Dickson via Servercert-wg <servercert-wg@cabforum.org><br>

<b>Sent:</b> Thursday, April 25, 2024 12:29:21 PM<br>

<b>To:</b> Adriano Santoni <adriano.santoni@staff.aruba.it>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br>

<b>Subject:</b> Re: [Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI</font>

<div> </div>

</div>

<div>

<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; height:0px; max-height:0px; opacity:0; overflow:hidden">

It's my understanding that the intent of the updates made in SC-62 were to prohibit any non-HTTP URI. This was discussed in: 1) at least one historical GitHub discussion (referenced in ballot preamble): "authorityInformationAccess: 

</div>

<div style="display:none!important; display:none; visibility:hidden; font-size:1px; color:#ffffff; line-height:1px; height:0px; max-height:0px; opacity:0; overflow:hidden">

</div>

<div dir="ltr">

<div>It's my understanding that the intent of the updates made in SC-62 were to prohibit any non-HTTP URI. This was discussed in:<br>

</div>

<div>

<div><br>

</div>

<div>1) at least one historical GitHub <a href="https://github.com/sleevi/cabforum-docs/pull/36" originalsrc="https://github.com/sleevi/cabforum-docs/pull/36" shash="Fz33fOUmlO8KXv2nNL29Kx4U+1FhlfW+q8NUk0DmRvh6tzPfKo7n14bSV2NPAhe3aPNQPUKDBIWFqOVyGBK85lBzOlfZ3JOCuncss5/NnFFYW1ExYupvsBFtIrw6OpgQlQTxxBt0k4o/0xbhKKQYj2nxgYbdTiJGtezTULb6VHs=" target="_blank">

discussion</a> (referenced in ballot <a href="https://urldefense.com/v3/__https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/__;!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2XG8icd_E$" target="_blank">

preamble</a>):</div>

<div><br>

</div>

<div>

<ul dir="auto" style="box-sizing:border-box; padding-left:2em; margin-top:0px; margin-bottom:16px; color:rgb(31,35,40)">

<li style="margin-left:0px; box-sizing:border-box; margin-top:0.25em"><i><code style="box-sizing:border-box; font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace; padding:0.2em 0.4em; margin:0px; border-radius:6px">"authorityInformationAccess</code>:

 This is a new requirement.</i></li><ul dir="auto" style="box-sizing:border-box; padding-left:2em; margin-top:0px; margin-bottom:0px">

<li style="margin-left:0px; box-sizing:border-box"><i>BRs 7.1.2.2 (c) notes that it SHOULD contain the HTTP URL of the Issuing CA's certificate and MAY contain the HTTP URL of the Issuing CA's OCSP responder.</i></li><li style="margin-left:0px; box-sizing:border-box; margin-top:0.25em"><i>Some questions were raised about whether this means other URLs, other schemes, or multiple URLs can be included. Similar to <code style="box-sizing:border-box; font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace; padding:0.2em 0.4em; margin:0px; border-radius:6px">crlDistributionPoints</code>,

 the ordering of URLs implies processing semantics on clients, and only particular URL schemes are supported. Namely, if one of the two supported access methods are present (CA issuer or OCSP), <b>then the only URLs present MUST be HTTP URLs</b>, and MUST be

 listed in order of priority.</i></li><li style="margin-left:0px; box-sizing:border-box; margin-top:0.25em"><i>This prohibits the use of other access methods, as they are not used in the Web PKI."</i></li></ul>

</ul>

<div><font color="#1f2328" face="-apple-system, system-ui, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji"><i><br>

</i></font></div>

</div>

<div>and 2) Corey's Validation Subcommittee presentation at <a href="https://urldefense.com/v3/__https://cabforum.org/2022/06/06/minutes-of-the-f2f-56-meeting-in-warsaw-poland-6-8-june-2022/__;!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2XCLJuGak$" target="_blank">F2F

 56</a> (slide <a href="https://urldefense.com/v3/__https://lists.cabforum.org/pipermail/validation/attachments/20220608/ea4bb526/attachment-0001.pdf__;!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2XK-CkUdI$" target="_blank">14</a>, <i>"Non-HTTP

 (i.e., LDAP and FTP) OCSP and CA Issuers URIs are prohibited").</i><font color="#1f2328" face="-apple-system, system-ui, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji"><i><br>

</i></font></div>

<div><i><br>

</i></div>

<div>D-Trust volunteered to propose an update to the BRs to address the issue in <a href="https://urldefense.com/v3/__https://bugzilla.mozilla.org/show_bug.cgi?id=1884714*c1__;Iw!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2X0woQAbI$" target="_blank">

this</a> Bugzilla Bug (Actions Table).</div>

<div><br>

</div>

<div>Thanks,</div>

<div>Ryan</div>

</div>

</div>

<br>

<div class="gmail_quote">

<div dir="ltr" class="gmail_attr">On Thu, Apr 25, 2024 at 3:44 AM Adriano Santoni via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">

<u></u>

<div>

<p><font face="Calibri">Hi,</font></p>

<p><font face="Calibri">IMO, including an HTTPS URI in the <b>id-ad-caIssuers</b> accessMethod is at least a bad practice and very unwise (if done on purpose), as it may give rise to unbounded loops, as it is clearly explained in RFC5280:</font></p>

<p><font face="Calibri"></font></p>

<blockquote type="cite"><font face="Calibri">

<pre>CAs SHOULD NOT include URIs that specify https, ldaps, or similar

schemes in extensions.  CAs that include an https URI in one of these

extensions MUST ensure that the server's certificate can be validated

without using the information that is pointed to by the URI.  Relying

parties that choose to validate the server's certificate when

obtaining information pointed to by an https URI in the

cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess

extensions MUST be prepared for the possibility that this will result

in unbounded recursion.</pre>

</font></blockquote>

<font face="Calibri"></font>

<p></p>

<p><font face="Calibri">That said, whether it amounts to a violation of the BRs it's a different matter. Generally speaking, since the requirement for

</font><font face="Calibri">the <b>id-ad-caIssuers</b> accessMethod </font><font face="Calibri">is expressed in the same way as for the

</font><font face="Calibri"><b>id-ad-ocsp</b> accessMethod </font><font face="Calibri">and for

<b>distributionPoint</b> (see 7.1.2.11.2), therefore if using an "https" URI is indeed a violation it should be so for all three cases.</font></p>

<p><font face="Calibri">It should also be noted that PKILINT contains a validator for checking that the URI in the

</font><font face="Calibri"><b>id-ad-caIssuers</b> accessMethod starts with "<a href="https://urldefense.com/v3/__http://*22__;JQ!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2XEgs7twQ$">http://"</a>.<br>

</font></p>

<p><font face="Calibri">Adriano</font></p>

<p><font face="Calibri"><br>

</font></p>

<div>Il 25/04/2024 08:10, Dimitris Zacharopoulos (HARICA) via Servercert-wg ha scritto:<br>

</div>

<blockquote type="cite">

<div align="center">

<table width="30%" cellspacing="2" cellpadding="2" border="1">

<tbody>

<tr>

<td valign="top" bgcolor="#ffff00"><span style="color:red">NOTICE:</span> Pay attention - external email - Sender is

<a href="mailto:0100018f13e0c532-cd7a8efa-701a-498e-9678-2ba113a48abf-000000@amazonses.com" target="_blank">

0100018f13e0c532-cd7a8efa-701a-498e-9678-2ba113a48abf-000000@amazonses.com</a> </td>

</tr>

</tbody>

</table>

<br>

</div>

<br>

<br>

Dear Members, <br>

<br>

I have a quick question regarding the <span></span><code style="box-sizing:inherit; font-variant-ligatures:none; white-space:pre-wrap; word-break:normal; border-radius:3px; padding:2px 3px 1px; font-size:12px; line-height:1.50001; font-family:Monaco,Menlo,Consolas,"Courier New",monospace">id-ad-caIssuers</code>

<span> </span> accessMethod URI. <br>

<br>

<a href="https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc5280.html*section-4.2.2.1__;Iw!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2XM-qUAys$" target="_blank">Section 4.2.2.1

 of RFC 5280</a> states that: <br>

<br>

<blockquote type="cite" style="box-sizing:inherit; margin:4px 0px; padding:0px 0px 0px 16px; color:rgb(29,28,29); font-family:Slack-Lato,Slack-Fractions,appleLogo,sans-serif; font-size:15px; font-style:normal; font-variant-ligatures:common-ligatures; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:left; text-indent:0px; text-transform:none; word-spacing:0px; white-space:normal; background-color:rgb(248,248,248); text-decoration-style:initial; text-decoration-color:initial">

When the<span> </span><code style="box-sizing:inherit; font-variant-ligatures:none; white-space:pre-wrap; word-break:normal; border-radius:3px; padding:2px 3px 1px; font-size:12px; line-height:1.50001; font-family:Monaco,Menlo,Consolas,"Courier New",monospace">id-ad-caIssuers</code><span> </span>accessMethod

 is used, at least one instance SHOULD specify an accessLocation that is an HTTP [RFC2616] or LDAP [RFC4516] URI.</blockquote>

<br>

RFC 2616 does not support https. That was introduced in a superseded version. <br>

<br>

Since RFC 5280 points to RFC 2616, based on past discussions about strictly adhering to RFC 5280 despite the existence of superseded versions, I believe that the proper interpretation of this requirement is that the "http" scheme is allowed and "https" is not.

<br>

<br>

Do Members agree with that interpretation? <br>

<br>

If this is the correct interpretation, would it be considered a violation of the BRs if a CA or end-entity certificate contains https:// URL in the id-ad-caIssuers accessMethod ?

<br>

<br>

I'm afraid that this might not be as clear in the BRs as it should be, so if people agree with the above, we should probably update

<a href="https://github.com/cabforum/servercert/blob/main/docs/BR.md#71277-subscriber-certificate-authority-information-access" originalsrc="https://github.com/cabforum/servercert/blob/main/docs/BR.md#71277-subscriber-certificate-authority-information-access" shash="ZjI6OtvtNGDbaxrtGnxWuvJlDVsNtwSb8PdYmzJWjpH6BYTyw1KX71Y6tdaw3JwIrwc7+MUCtjrtaXP8uYQLmD8tM08ZJg84sSqZJMBw/hh8qSC9yJU1a33Y+OpGVhJIDD3QPWaUH6tSg32L4s5EU090+cy5t+DLrFepkleI0mE=" target="_blank">

section 7.1.2.7.7</a> (and possibly other parts) to explicitly state that the allowed scheme is "http" and not "https", just like we do for the CRLDP in

<a href="https://github.com/cabforum/servercert/blob/main/docs/BR.md#712112-crl-distribution-points" originalsrc="https://github.com/cabforum/servercert/blob/main/docs/BR.md#712112-crl-distribution-points" shash="UVGgAfDmUiO9nAhjJqYYXhNQoUOafijN3WcYppIvH1VTJlTWqubq7uoH45sLNm+1X3aXMXsRij3/VOyeGroXoWcqvPoLLhvnYmlRDTwgYlNINFQcq/SEAnyW7Xln5p/vYde4k5uMOqlXgYFBfsB7egKeP+Hyp6DhC0EcwQb7vbA=" target="_blank">

section 7.1.2.11.2</a> . <br>

<br>

<br>

Thank you, <br>

Dimitris. <br>

<br>

<br>

<br>

<fieldset></fieldset>

<pre>_______________________________________________

Servercert-wg mailing list

<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a>

<a href="https://urldefense.com/v3/__https://lists.cabforum.org/mailman/listinfo/servercert-wg__;!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2XiZF4fNo$" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>

</pre>

</blockquote>

</div>

_______________________________________________<br>

Servercert-wg mailing list<br>

<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>

<a href="https://urldefense.com/v3/__https://lists.cabforum.org/mailman/listinfo/servercert-wg__;!!BjbSd3t9V7AnTp3tuV-82YaK!y174iVBDtZ3z5-EvidUFZS37N7NTH7eP98SfJziM58hPZLOaQQRXxgxnzQAgD9nso-0KMdxJVAN4O4UBpijDsJ2XiZF4fNo$" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>

</blockquote>

</div>

</div>

</body>

</html>