[cabfpub] OIDs for DV and OV

Dean Coclin Dean_Coclin at symantec.com
Thu Oct 2 17:31:50 MST 2014


Thanks for the response and pointers. I’ve read through the threads but still have additional questions/comments. I’ll readily admit that I don’t understand all the commentary in the Mozilla threads so I apologize if these questions sound somewhat naïve. Happy to be educated:

 

You've heard repeatedly from several browsers about an explicit non-goal of distinguishing DV and OV. As the Forum is comprised of CAs and Browsers, do we have any Browsers that wish to make such a distinction? If not, it would be wholly inappropriate for the Forum to require it.

>>I haven’t heard of any browsers that want to make that distinction (yet). It is my understanding that the Forum BRs do require an OID for EV certs. So why is it “inappropriate” for the Forum to require OIDs for DV/OV? 

 

If there are non-browser relying parties interested in such distinctions, the CA can always provide such distinctions themselves.

>>Can you elaborate on what you mean by this? If there’s another way to accomplish the end result, happy to explore further. But it would have to be uniform among all CAs that issue these certs.

 

As someone very keen on programatic checks and detection for misissuance, there's no question that this would NOT meaningfully help address the concerns we see.

>>I wasn’t suggesting that this addition would in any way help you with your programmatic checks for mis-issuance.  Rather, it would make the task for organizations like Netcraft, EFF or others that tabulate statistics on various types of certificates easier to do. Is that not the case?

 

That is, there would need to be an OID _per revision_ of the BRs, to indicate "which" version of the BRs something was complying to. 

>>Fully admit that I don’t understand how this works. But wouldn’t that also be the case for EV (which currently requires this OID)?

 

I’m just trying to suggest a  way that someone can say: X is a DV cert, Y is an OV cert, Z is an EV cert without a doubt. If OIDs are not the place to do that, is there another mechanism available?
I’m sure you are familiar with Ryan Hurst’s blog on how difficult the task currently is.

 


Thanks,
Dean

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Thursday, October 02, 2014 3:37 PM
To: Dean Coclin
Cc: public at cabforum.org
Subject: Re: [cabfpub] OIDs for DV and OV

 

 

 

On Thu, Oct 2, 2014 at 10:33 AM, Dean Coclin <Dean_Coclin at symantec.com> wrote:

Further to today’s discussion on our call, I’d like to get more feedback on a proposal to make a unique standardized OID mandatory for DV and OV certificates in the Baseline Requirements. Currently we have a mandatory OID for EV certificates but optional for OV and DV.  This makes things difficult for at least two groups of constituents:

 

1.       Relying parties that would like to distinguish between these certificates

You've heard repeatedly from several browsers about an explicit non-goal of distinguishing DV and OV. As the Forum is comprised of CAs and Browsers, do we have have any Browsers that wish to make such a distinction?

 

If not, it would be wholly inappropriate for the Forum to require it. If there are non-browser relying parties interested in such distinctions, the CA can always provide such distinctions themselves.

 

2.       Analysts that report on SSL certificate data who have had to issue revised reports because of cert misclassification

As mentioned on the call, this has been discussed with Mozilla in the past - https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ

 

As someone very keen on programatic checks and detection for misissuance, there's no question that this would NOT meaningfully help address the concerns we see.

 

That is, there would need to be an OID _per revision_ of the BRs, to indicate "which" version of the BRs something was complying to. 

 

I would hope that https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ would capture some of these concerns more fully.

 

Finally, to do anything meaningful with this in all major clients, it would require that CAs redo their certificate hierarchy, as policy OIDs are inherited. That's a silly thing, especially when CAs are still struggling to migrate from SHA-1 to SHA-256 in their intermediates.

 

 

My proposal is for CAs to put in OID X if it’s a DV certificate and OID Y if it’s an OV certificate.

 

As Rick reminded me on the call, we currently have something like this for EV certificates (except that CAs are free to use the standard OID or define one of their own).

 

I’d like to hear pros/cons of this. Ryan S indicated that Google would not support such a proposal but we didn’t have time to discuss the reasons.

 

I’m sure there are both technical and policy reasons. Personally I’d like to focus on the latter but remarks on both are welcome. This proposal doesn’t require anyone to do anything with this data (i.e relying parties can choose whether or not to utilize it).


Thanks,
Dean

 

 

 


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141002/0fa5ec6f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141002/0fa5ec6f/attachment-0001.bin 


More information about the Public mailing list