<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EstiloCorreo19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>></span><span lang=EN-US> I'm not sure if this issue deserves some dedicated time for discussion at the upcoming F2F but Inigo could add it as an agenda item. At the very least we should capture the group's preference and proceed accordingly.<br><br></span><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Dimitris, if you want this to be discussed at the F2F SCWG, just drop me an email with the content (just for the introduction) and an estimated discussion time and I´ll add it to the agenda. Not a problem.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>De:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Servercert-wg <servercert-wg-bounces@cabforum.org> <b>En nombre de </b>Dimitris Zacharopoulos (HARICA) via Servercert-wg<br><b>Enviado el:</b> miércoles, 15 de mayo de 2024 7:16<br><b>Para:</b> Aaron Gable <aaron@letsencrypt.org><br><b>CC:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Asunto:</b> Re: [Servercert-wg] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On 14/5/2024 7:52 μ.μ., Aaron Gable wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>That makes sense. I guess I'm saying that the intent of "Intermediates which are part of the WebPKI must not issue certificates which are not part of the WebPKI" makes sense to me.<o:p></o:p></p></div></blockquote><p class=MsoNormal><br>While I agree that this sounds reasonable to clarify and ensure it is applicable unambiguously, to the best of my recollection, the intent of this group when drafting the profiles ballot was not what you describe. I'd be happy to be shown otherwise. I do recall Tim Hollebeek strongly objecting to adding requirements for non-TLS Certificates.<br><br>The current BRs do not require strict server TLS hierarchies, that was never the intent. If that was the case, it would not be allowed to create TC non-TLS Intermediates from a Root that is in-scope of the TLS BRs.<br><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Imagine that a publicly trusted Subordinate CA issues a "certificate" which is so badly malformed that it does not match any of the profiles allowed by the BRs, and it's even difficult to tell which profile it may have been intended to match before things went wrong. This feels to me like it should be treated as a misissuance: it should not have been possible for a CA to sign such an artifact, and the fact that it is possible merits an investigation and incident report.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>But the difference between such a malformed certificate and a certificate which asserts clientAuth but not serverAuth is only one of degree, not one of kind. They are both certificates which are issued by a publicly-trusted Subordinate CA, but which do not conform to a BRs profile. If issuing a clientAuth-only cert should be okay, but issuing a badly malformed cert should not be, where and how does one draw the line between them?<o:p></o:p></p></div></div></blockquote><p class=MsoNormal><br><br>The badly formed cert issue should definitely be addressed, just like it has been addressed for the TC non-TLS subCA profile. At a minimum it must conform to RFC 5280. But just as we had multi-purpose hierarchies, and we support non-TLS subCAs, maybe we should add similar language to cover the case of non-TLS leaf certificates.<br><br>However, if the group wants to proceed with "clarifying"* that CA Certificates technically capable of issuing server TLS Certificates SHALL NOT issue end-entity Certificates that do not include the serverAuth EKU, I'm all for it. I still don't see the harm in doing so from a RP security perspective but I won't object to clear and unambiguous rules that all CAs and auditors interpret the same way.<br><br>I'm not sure if this issue deserves some dedicated time for discussion at the upcoming F2F but Inigo could add it as an agenda item. At the very least we should capture the group's preference and proceed accordingly.<br><br>Dimitris.<br><br><br>* "Clarifying" has been used before as a way of adding new requirements.<br><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Aaron<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Tue, May 14, 2024 at 8:49<span style='font-family:"Arial",sans-serif'> </span>AM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On 14/5/2024 5:58 μ.μ., Aaron Gable wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal>On Tue, May 14, 2024, 02:33 Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal>Is it ok for such an Issuing CA to create a single-purpose client authentication TLS Certificate, one that is structured according to RFC 5280 (thus can be successfully parsed by Relying Party RFC 5280-conformant software), contains an extKeyUsage extension which contains the id-kp-clientAuth and DOES NOT include the id-kp-serverAuth KeyPurposeId? <o:p></o:p></p></div></blockquote></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Speaking in a personal capacity, it is my opinion that no, such issuance is not acceptable.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I agree that the resulting end-entity client-auth-only certificate is out of scope of the BRs, and is not in and of itself misissued. However, the issuing intermediate itself is still in scope of the BRs, and its behavior can be contained by them. By virtue of issuing the clientAuth cert, the issuing intermediate has violated the BRs requirement that "all certificates that it issues MUST comply with one of the following certificate profiles".<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>One could even argue that, having issued a certificate which does not comply with a BR profile, the issuing intermediate must be revoked within 7 days, per BRs Section 4.9.1.2 (5): "The Issuing CA SHALL revoke a Subordinate CA Certificate [if...] the Issuing CA is made aware that the... Subordinate CA has not complied with this document".<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Aaron<o:p></o:p></p></div></div></blockquote><p class=MsoNormal><br>Thanks Aaron, I tried to first establish the <i>intent</i> of the group before digging in the actual BRs. If we agree that the intent was to place rules only for Server TLS leaf Certificates but not for Client TLS Certificates, then we need to acknowledge that, and work within the document to fix any conflicts.<br><br>Dimitris.<o:p></o:p></p></div></blockquote></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>