[cabf_netsec] SC28 and Certificate Profile changes

[Neil Dunbar]

All,

While the discussion continues on the main list, Ryan S brings up an
interesting question regarding Certificate Profiles. I can actually see
both sides of this argument, so some NetSec flavoured discussion would
be valuable to me.

Should a Cert Profile (which constrains/configures certificates issued
under a PKI hierarchy) be considered to belong to a CA Private Key? If
so, should that actually be part of events logged, alongside certificate
requests, etc?

Pro retention: Knowing the history of Certificate Profile recording and
changing can give useful information to Root Programs who wish to know
how and why misissuances took place - not within the context of N
certificates were misissued, but rather which systemic issues allowed
them to be misissued, and how those profiles changed in order to
remediate the damage.

Against retention: the actual effects of a Certificate Profile consists
in the issuance of certificates; those certificates are either properly
issued, or not, at the time of certificate publication; thus from a
security perspective making the profile changes part of the CA Key/Cert
record actually serves no purpose.

So it (to me) comes down to long term root cause analysis utility
[tracking of policy and profile changes] versus actual security utility
[certificate misissuance caused by a bad cert profile]. It also comes
down to "useful to which audience". An auditor might well not see much
point in delving into a Cert Profile's history for the last 10 years,
and a Root Program might want to know it, but only in rare circumstances
[discuss!]

I'm keen to avoid the "keep it just in case it could be interesting one
day" school of thought, but the thoughts of those on the list would be
very welcome.

Neil