[cabfpub] Issuers in BR/EV/EVCS Guideline Scope

[Peter Bowen]

The CA/Browser Forum has published three major Guideline documents: the Baseline Requirements, Extended Validation, Guidelines, and Extended Validation Code Signing Guidelines. None of these include clear statements of their scope.  There have been several attempts to define when an issuer is in scope that have resulted in no action due to some gray areas.

Instead, I would like to try to get consensus on issuers explicitly not in scope.  My view is that “scope” is something that flows via CA certificates:
- Scope starts when a CA (Distinguished Name & Public Key) is included by at least one browser adopting the BRs
  - I know that Mozilla and Microsoft have adopted these.  I’m not clear if any other programs have adopted them.
- Scope is conferred by a CA in scope issuing a CA certificate to another CA (different Distinguished Name or Public Key)
  - CA Certificate is a certificate that has at least one of Basic Constraints with CA:TRUE, keyCertSign key usage, cRLSign key usage

I think the following two things are clearly cases when scope does not confer:
- Scope is not conferred after the notAfter date in the CA certificate (scope expires)
- Scope is not conferred if the CA certificate includes a properly formed Extended Key Usage extension and the listed key purposes do not include any of {anyExtendedKeyUsage, id-kp-serverAuth, id-kp-codeSigning}

I know some PKIs view X.509/PKIX as stating that the EKU defines how the pubic key in the certificate can be directly used rather than as a constraint.  I don’t know of a standardized key purpose for certificate signing, but if there is one, it should join the other three as things that don’t prevent scope from conferring.

Does anyone disagree that these two are clear cases when scope does not confer?

Thanks,
Peter