[cabfcert_policy] CA vs. CA draft proposal

Peter Bowen pzb at amzn.com
Thu Mar 24 11:30:34 MST 2016 

Wendy,

My intention was to explicitly forbid the key rollover model you describe. Each Issuer DN must have only one public key.  If you want a new issuer public key then you would need a new DN.  RFC 4210 key rollover has been discussed on the IETF PKIX list and the CA/Browser Forum public list in the past with notes that it does not reliably work with many clients.  Microsoft already forbids it for root CAs — this would extend it to subordinate CAs as well.

Thanks,
Peter
 
> On Mar 24, 2016, at 8:16 AM, Brown, Wendy (10421) <wendy.brown at protiviti.com <mailto:wendy.brown at protiviti.com>> wrote:
> 
> I missed the policy call this morning based on it showing up on my calendar at the wrong time.
> But I have a question on one  of the suggestions below:
>  
> In section 4.3.1, append the following text:
>  
> A CA shall only issue a Self-Issued CI Certificate when the Private Key used by the CA to sign the Certificate corresponds to the Public Key that is certified within the Certificate.
>  
> I believe this is the definition of a self-signed certificate rather than a self-issued one.
> A self-issued certificate may also include certificates issued when a CA does a key rollover and signs the new key with the old and vice-verse.  In these self-issued certificates the Private Key used by the CA to sign the Certificates does NOT correspond to the Public Key in the same certificate.
>  
> Thanks,
>    Wendy
>  
> Wendy Brown
> Protiviti Government Services
> 703-299-4705 (office)    703-965-2990 (cell)
>  
> wendy.brown at protiviti.com <mailto:wendy.brown at protiviti.com>
>  
>  
>  
>   <>
> -----Original Message-----
> From: policyreview-bounces at cabforum.org <mailto:policyreview-bounces at cabforum.org> [mailto:policyreview-bounces at cabforum.org <mailto:policyreview-bounces at cabforum.org>] On Behalf Of Peter Bowen
> Sent: Thursday, March 24, 2016 9:43 AM
> To: policyreview at cabforum.org <mailto:policyreview at cabforum.org>
> Subject: [cabfcert_policy] CA vs. CA draft proposal
>  
> New Definitions:
>  
> Certificate Issuer (CI): An issuer of Certificates defined by a distinct Distinguished Name and Public Key
>  
> CI Certificate: A Certificate for which any of the following are true:
> - A Basic Constraints extension is present and the cA component is set to TRUE
> - A Key Usage extension is present and the keyCertSign bit is set
>  
> CI Key Pair: A Key Pair which has its Public Key included in a CI Certificate
>  
> Cross-Certificate: A CI certificate which is not a Self-Issued CI Certificate
>  
> End-entity Certificate: A Certificate which is not a CI Certificate
>  
> Root CI: A CI which is distributed by Application Software Suppliers as a trust anchor
>  
> Root CI Key Pair: A CI Key Pair which has its Public Key included in a Root Certificate
>  
> Root CI Certificate:  A CI Certificate which contains the Public Key from a Root CI Key Pair
>  
> Self-Issued CI Certificate: A CI Certificate where the subject and issuer Distinguished Names match
>  
> Technically Constrained CI Certificate: A CI certificate which uses a combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which CI may issue Subscriber or additional CI Certificates.
>  
> Modifications:
>  
> In section 3.1.5, insert the following text:
>  
> Each CI Public Key MUST be associated with a single distinct Distinguished Name.  Each CI Distinguished Name MUST be associated with a single unique Public Key.
>  
> In section 4.3.1, append the following text:
>  
> A CA shall only issue a Self-Issued CI Certificate when the Private Key used by the CA to sign the Certificate corresponds to the Public Key that is certified within the Certificate.
>  
> <more to change CA to CI where appropriate> _______________________________________________
> Policyreview mailing list
> Policyreview at cabforum.org <mailto:Policyreview at cabforum.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_mailman_listinfo_policyreview&d=CwICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=CBPcrHveVS6JeW8_gWG0NRDQwKKDbvlAqGnuc-opZ58&m=gSpKiZiIdAJzxq9a88_HscBTw9cLkE8YDBEzaQxJHuk&s=JiNpdPG91ZZfD2LKBTN6J3Reniaqm3tdjimPSQfp4kU&e <https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_mailman_listinfo_policyreview&d=CwICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=CBPcrHveVS6JeW8_gWG0NRDQwKKDbvlAqGnuc-opZ58&m=gSpKiZiIdAJzxq9a88_HscBTw9cLkE8YDBEzaQxJHuk&s=JiNpdPG91ZZfD2LKBTN6J3Reniaqm3tdjimPSQfp4kU&e>=
> NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160324/85a11fd2/attachment-0001.html

More information about the Policyreview mailing list