[Cscwg-public] FW: Mistake in CSBR

Dean Coclin dean.coclin at digicert.com
Thu Aug 1 20:36:45 UTC 2024 

 

Forwarding this to the public list with Viktor’s permission.  Is there any discussion? 

I can add it to the agenda for the next call.

 

 

Dean Coclin

CSCWG Chair

 

From: Varga Viktor  
Sent: Thursday, August 1, 2024 4:15 AM
To: Dean Coclin  
Subject: Mistake in CSBR 

 

Dear Dean,

 

I think I found a mistake in the CSBR.

 

Neither in the chapter 7.1.2.1 Root CA Certificate nor in the chapter 7.1.2.2 Subordinate CA Certificate can we found section for the subjectKeyIdentifier (later SKI) extension.

But also 7.1.2.4 explicitly denies to use any other extension than listed in these chapter.

But the RFC 5280 mandates this. (I added the important chapters to the end of mail)

 

May I ask for correction to add the SKI to the requirements? 
This extension shall be added to 7.1.2.1 and 7.1.2.2 and optionally in 7.1.2.3.

 

Also I would like to ask: 

Can we agree in that, if we are issuing CA certificate until the correction, a CA certificate with SKI can be accepted as good because it fits in the term: “unless the CA is aware of a reason”.

 

Kind regards,

Viktor

 

Viktor Varga
PKI Architect & Trust Services Manager



 

 

CSBR

7.1.2.4 All Certificates 

All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extKeyUsage value, Certificate extension, or other data not specified in Section 7.1.2.1, Section 7.1.2.2, or Section 7.1.2.3 unless the CA is aware of a reason for including the data in the Certificate.

 

RFC 5280

4.2.1.2.  Subject Key Identifier

 

   The subject key identifier extension provides a means of identifying

   certificates that contain a particular public key.

 

   To facilitate certification path construction, this extension MUST

   appear in all conforming CA certificates, that is, all certificates

   including the basic constraints extension (Section 4.2.1.9) where the

   value of cA is TRUE.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240801/4f68f518/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5873 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240801/4f68f518/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4542 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240801/4f68f518/attachment-0001.p7s>

More information about the Cscwg-public mailing list