<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 15/5/2024 7:35 π.μ., Roman Fischer
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018f7a8878cb-11f10502-b0d5-46bc-8135-164620bd2c9a-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Dear Aaron,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Interesting line of argumentation. Wouldn’t
that conclude that -every- mis-issuance of a leaf
certificate would be a violation of "all certificates that
it issues MUST comply with one of the following certificate
profiles" and thus would require the ICA to be revoked? That
can’t be the intent of the regulation, right?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
Roman,<br>
<br>
TC non-TLS subCAs already have a defined certificate profile
described in the BRs so there is no need to revoke such an ICA. I
think you might be referring to non-TLS Subscriber Certificates
issued by those TC non-TLS SubCAs?<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:0100018f7a8878cb-11f10502-b0d5-46bc-8135-164620bd2c9a-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Rgds<br>
Roman<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Aaron Gable via Servercert-wg<br>
<b>Sent:</b> Dienstag, 14. Mai 2024 16:59<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>; CA/B Forum Server Certificate
WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Discussion about
single-purpose client authentication leaf certificates
issued from a server TLS Issuing CA<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Tue, May 14, 2024, 02:33 Dimitris
Zacharopoulos (HARICA) via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p>Is it ok for such an Issuing CA to create a
single-purpose client authentication TLS Certificate,
one that is structured according to RFC 5280 (thus can
be successfully parsed by Relying Party RFC
5280-conformant software), contains an extKeyUsage
extension which contains the <i>id-kp-clientAuth</i>
and DOES NOT include the <i>id-kp-serverAuth</i>
KeyPurposeId?<o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Speaking in a personal capacity, it is
my opinion that no, such issuance is not acceptable.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I agree that the resulting end-entity
client-auth-only certificate is out of scope of the BRs,
and is not in and of itself misissued. However, the
issuing intermediate itself is still in scope of the BRs,
and its behavior can be contained by them. By virtue of
issuing the clientAuth cert, the issuing intermediate has
violated the BRs requirement that "all certificates that
it issues MUST comply with one of the following
certificate profiles".<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">One could even argue that, having
issued a certificate which does not comply with a BR
profile, the issuing intermediate must be revoked within 7
days, per BRs Section 4.9.1.2 (5): "The Issuing CA SHALL
revoke a Subordinate CA Certificate [if...] the Issuing CA
is made aware that the... Subordinate CA has not complied
with this document".<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Aaron<o:p></o:p></p>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>