[cabfpub] A few technical details about the case by TURKTRUST

Geoff Keating geoffk at apple.com
Mon Jan 7 21:45:53 UTC 2013 

The current baseline requirements have this as a 'MAY', how do we feel about making this into a 'SHOULD'?  That is, something like

Appendix B – Certificate Extensions (Normative)
Subordinate CA Certificate
D. basicConstraints

This extension MUST be present and MUST be marked critical. The cA field MUST be set true. The pathLenConstraint field MAYSHOULD be present.  For Subordinate CAs which are used only to sign Subscriber Certificates, OCSP certificates or responses, and CRLs,  it is RECOMMENDED that the pathLenConstraint field be present and set to zero.

On 07/01/2013, at 3:10 AM, "Madell, William" <bill.madell at trustis.com> wrote:

> Yes, that seems correct; probably worthwhile discussing such a constraint as a future best practice.
> 
> Cheers,
> Bill
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
> Sent: 07 January 2013 11:06
> To: Rick Andrews; mert.ozarar; public at cabforum.org
> Subject: Re: [cabfpub] A few technical details about the case by TURKTRUST
> 
> On 04/01/13 19:40, Rick Andrews wrote:
>> I have one concern about the post process control you’ve put into place.
>> You say that it will check the basicContraints value against the
>> respective certificate policy. I’m worried that if that test profile
>> gets put on the production system again, and certs are issued against
>> it, your post process control will not alert you, because the test
>> policy would say “add basicConstrains cA=true” and that would match the
>> issued certificate.
> 
> I also had this concern. I think Rick's advice is very good.
> 
> Question for the group: would it be a good idea to recommend it as a
> best practice that intermediates issued for the purpose of issuing
> end-entity certificates have a path length constraint? As I understand
> it, if TurkTrust's intermediate which mis-issued this certs had had such
> a constraint, the *.google.com and other certs created by the firewall
> appliance would not have worked. Am I right?
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4316 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130107/e98a74c3/attachment-0002.p7s>

More information about the Public mailing list