<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 15/5/2024 9:21 π.μ., Roman Fischer
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ZR0P278MB0170F03E494EE907583D544EFAEC2@ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hi
Dimitris,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">I was thinking more along the line: What if we
had TLS leaf certificates with e.g. the country field
missing. Such a cert would not comply to the TLS BR and
since the ICA signed such a non-complying cert, it would
need to be revoked too… Which IMHO makes no sense at all.
</span><span
style="font-size:11.0pt;font-family:"Segoe UI Emoji",sans-serif"
lang="EN-US">😊</span></p>
</div>
</blockquote>
<br>
Indeed, it doesn't :)<br>
<br>
<blockquote type="cite"
cite="mid:ZR0P278MB0170F03E494EE907583D544EFAEC2@ZR0P278MB0170.CHEP278.PROD.OUTLOOK.COM">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Rgds<br>
Roman<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via
Servercert-wg<br>
<b>Sent:</b> Mittwoch, 15. Mai 2024 07:20<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a><br>
<b>Subject:</b> Re: [Servercert-wg] Discussion about
single-purpose client authentication leaf certificates
issued from a server TLS Issuing CA<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 15/5/2024 7:35 π.μ., Roman Fischer via
Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Dear Aaron,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Interesting line of argumentation. Wouldn’t
that conclude that -every- mis-issuance of a leaf
certificate would be a violation of "all certificates that
it issues MUST comply with one of the following
certificate profiles" and thus would require the ICA to be
revoked? That can’t be the intent of the regulation,
right?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-family:"Times New Roman",serif"><br>
Roman,<br>
<br>
TC non-TLS subCAs already have a defined certificate profile
described in the BRs so there is no need to revoke such an
ICA. I think you might be referring to non-TLS Subscriber
Certificates issued by those TC non-TLS SubCAs?<br>
<br>
<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Rgds<br>
Roman</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Servercert-wg
<a href="mailto:servercert-wg-bounces@cabforum.org"
moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Aaron Gable via Servercert-wg<br>
<b>Sent:</b> Dienstag, 14. Mai 2024 16:59<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><dzacharo@harica.gr></a>;
CA/B Forum Server Certificate WG Public Discussion List
<a href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> Re: [Servercert-wg] Discussion about
single-purpose client authentication leaf certificates
issued from a server TLS Issuing CA</span><o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Tue, May 14, 2024, 02:33
Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p>Is it ok for such an Issuing CA to create a
single-purpose client authentication TLS
Certificate, one that is structured according to RFC
5280 (thus can be successfully parsed by Relying
Party RFC 5280-conformant software), contains
an extKeyUsage extension which contains the <i>id-kp-clientAuth</i>
and DOES NOT include the <i>id-kp-serverAuth</i>
KeyPurposeId?<o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Speaking in a personal capacity, it
is my opinion that no, such issuance is not acceptable.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I agree that the resulting end-entity
client-auth-only certificate is out of scope of the BRs,
and is not in and of itself misissued. However, the
issuing intermediate itself is still in scope of the
BRs, and its behavior can be contained by them. By
virtue of issuing the clientAuth cert, the issuing
intermediate has violated the BRs requirement that "all
certificates that it issues MUST comply with one of the
following certificate profiles".<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">One could even argue that, having
issued a certificate which does not comply with a BR
profile, the issuing intermediate must be revoked within
7 days, per BRs Section 4.9.1.2 (5): "The Issuing CA
SHALL revoke a Subordinate CA Certificate [if...]
the Issuing CA is made aware that the... Subordinate CA
has not complied with this document".<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Aaron<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-family:"Times New Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Servercert-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre><a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>