[cabfpub] BR Issue 7

Ryan Sleevi sleevi at google.com
Tue Nov 6 17:50:28 UTC 2012

On Tue, Nov 6, 2012 at 8:08 AM, Rob Stradling <rob.stradling at comodo.com> wrote:
> On 06/11/12 11:15, Ben Wilson wrote:
>  > Yngve previously made a motion to make modifications to Appendix B of
>  > the Baseline Requirements, as indicated by the attached.  It has been
>  > endorsed by  Wen-Cheng of Chunghwa.  Is there another endorser?
> I (or Robin) would be happy to endorse a motion that just seeks to remove:
>    - "With the exception of stapling, which is noted below,"
>    - "The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted,
> provided that the Subscriber “staples” the OCSP response for the
> Certificate in its TLS handshakes [RFC4366]."
> This exception is currently present in the BRs because Comodo asked for
> it.  However, we've not made use of it yet and it's looking very
> unlikely that we would ever need to use it.  IIRC, our primary concern
> was the potential OCSP traffic from TLS clients that don't support OCSP
> Stapling (i.e. Firefox!) visiting very busy websites that do support
> OCSP Stapling.  However, I'm optimistic that Firefox will gain support
> for OCSP Stapling soon.
> However, I'm afraid we can't accept the AIA->caIssuers changes in
> Yngve's motion for the following reasons:
> 1. As written...
> "Subordinate CA Certificate...authorityInfoAccess...MUST contain...the
> HTTP URL where a copy of the Issuing (non-Root) CA's certificate...can
> be downloaded"
> ...Yngve's motion outlaws Subordinate CA Certificates issued directly by
> Root Certificates which have not been cross-certified!
> IMHO...
> i. issuance of such Subordinate CA Certificates should be permitted!
> and
> ii. such Subordinate CA Certificates should omit AIA->caIssuers.
> 2. "it MUST contain" is unnecessarily restrictive.  I'm interpreting "it
> MUST contain" to mean "it MUST contain precisely <this> and nothing else".
> Comodo often includes >1 caIssuers HTTP URLs, but my interpretation of
> this motion is that it requires us to include precisely 1 HTTP URL.
> 3. We simply don't think that CAs should be forced to include caIssuers
> URLs if they don't want to include them.
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online

If/when work on OCSP mustStaple is introduced, it seems like we'll
need to end up revisiting this. In the presence of a mustStaple
extension, requiring CAs to include the OCSP responder URI is
superflous, and thus would be nice to conserve the bytes for the
initial SSL handshake.

I have to agree with Rob though, in that I don't believe requiring CAs
to include caIssuers URLs measurably improves security.

My general feeling about these two is that MUST should be reserved for
items that directly correlate to improving security. Including OCSP
URIs when mustStaple is present, or including caIssuers, are both
things that aid usability, but at the general cost of performance.
Because of this, it would be better to leave these decisions in the
hands of CAs and their customers, to be adjusted to the situation,
rather than requiring a particular behaviour.

More information about the Public mailing list