[Cscwg-public] MUST overridden by a MAY - Subordinate CA policies
Martijn Katerbarg
martijn.katerbarg at sectigo.com
Wed Nov 22 16:06:47 UTC 2023
All,
CSBR section 7.1.6.3 states:
”A Certificate issued to a Subordinate CA that issues Code Signing Certificates and is an Affiliate of the Issuing CA:
1. MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers> to indicate the Subordinate CA's compliance with these Requirements, and
2. MAY contain the "anyPolicy" identifier (2.5.29.32.0) in place of an explicit policy identifier.
A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA:
1. MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers> to indicate the Subordinate CA’s compliance with these Requirements, and
2. MAY contain the “anyPolicy” identifier (2.5.29.32.0) in place of an explicit policy identifier.”
I find there’s a few issues with this:
* “MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers>”, seems to state there’s only one policy OID to use, while in fact there are 3 in the named section, 2 which are for code signing certificates. This is a minor issue though and could be fixed in a cleanup ballot.
* More concerning I find the MUST and MAY language. If we take the language related to CA Certificates for Code Signing Certificates, what does this language actually state? Should this be interpreted as:
* MUST include a CABF OID and MAY additionally contain the “anyPolicy” OID.
or does it state:
* MUST include either a CABF OID or the “anyPolicy” OID?
I would like to think the intent here is to allow CA Certificates with just the “anyPolicy” OID, but at the same time, a MAY overriding a MUST, seems counterproductive.
Any thoughts on this?
Regards,
Martijn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231122/427f7515/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20231122/427f7515/attachment-0001.bin>
More information about the Cscwg-public
mailing list