[cabfpub] Ballot for limited exemption to RFC 5280 for CT implementation

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Sep 17 23:09:23 MST 2014


Brian, you raise a good point, and Jeremy has done a good job of explaining the dilemma faced by CAs today in preparing for a January 1 deadline for CT implementation.

I only proposed the ballot so CAs would not (automatically) be violating the existing Baseline Requirements when implementing RFC 6962 and the Google CT plan and fail our next WebTrust / ETSI audit.

To deal with the need to define pre-certificates, we could change the sentence to read as follows:

"In order to comply with the requirements of Certificate Transparency, CAs may use precertificates as defined in RFC 6962 and certificates that contain the same serial number and are issued from the same Subordinate CA Certificate."

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy.Rowley
Sent: Thursday, September 18, 2014 12:15 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot for limited exemption to RFC 5280 for CT implementation

CT is required for EV in January, and most CAs are trying to get ready before the deadline.  Waiting for the Trans group isn't really an option anymore, especially if there is delay between any document adopted by Trans and the implementation date by Google. I also don't think we need to time-box on the language since (a) we don't have a timeline from Trans on when a standard will be adopted and (b) we don't have a timeline from Google on when any ideas from Trans will be adopted.

That said, we might want to clarify that the language about what constitutes a "pre-certificate".  Your definition seems reasonable.

Jeremy

On 9/17/2014 9:55 PM, Brian Smith wrote:
On Wed, Sep 17, 2014 at 7:01 PM, kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:

1. Amend the Definitions as follows:

Valid Certificate: A Certificate that passes the validation procedure specified in RFC 5280 (except for the limited exemption provided in Appendix B).

This seems like a bad and unnecessary idea to me. The trans working group is already debating discussing the format of precertificates so that they are not syntactically-valid certificates for the standards-track CT mechanism. The version of CT Google and the CAs have implemented is an experiment, not a standard or proposed standard. The CAs can work around this issue by using the OCSP-based CT mechanism instead of the precertificate mechanism. Finally, IIUC, the only negative consequence of this that EV certificates

IMO, it makes more sense to change the experiment than it does to (effectively) change the fundamental standards that all CABForum work is based on.

Note that the use or non-use of a precertificate signing certificate has no bearing (IIUC) on whether the precertificate would be a duplicate of the final certificate, because the difference between Option 1 and Option 2 doesn't affect the issuer and serial number fields of the precertificate.

 2. Amend Appendix B as follows:

Appendix B - Certificate Extensions (Normative); Limited Exemption from Compliance with RFC 5280

This appendix specifies the requirements for Certificate extensions for Certificates generated after the Effective Date. ***

(5) Limited Exemption from Compliance with RFC 5280

In order to comply with the requirements of Certificate Transparency, CAs may use pre-certificates and certificates that contain the same serial number and are issued from the same Subordinate CA Certificate.

I think the language here should be cleaned up, because "pre-certificate" is not defined in the document. In particular, I suggest that you state the exemption in terms of the presence of the critical poison extension and that the two certificates must be bit-for-bit identical except for the poison extension, the SCT extension, and the signature, and the length fields of the tbsCertificate and tbsCertificate.extensions fields. This way, you avoid creating a giant and unintended loophole in the BRs.

Also, I suggest that you time-box the exemption so that it doesn't continue in perpetuity, past when CT is fixed.

Cheers,
Brian





_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140918/a6ef10ed/attachment-0001.html 


More information about the Public mailing list