[cabfpub] Additional OIDs in end-entity certificates

Sun Aug 21 21:14:04 UTC 2016

On our recent teleconference, the Forum discussed what happens when there is a conflict between the naming requirements of the Baseline Requirements (generally at BR 7.1.4) and a conflicting local or national requirement.  The current issue will be discussed in the Minutes for the August 18 teleconference once approved, but it did occur to some of us that this kind of issue will arise again in the future.

One place where if could arise is with the EU’s eIDAS requirements.  See https://en.wikipedia.org/wiki/EIDAS

This email is not about eIDAS, but is intended to pose a simple question (mainly to the browsers):  if a CA wants to include a new OID of its choosing in a certificate (such as a specified eIDAS OID that means “This certificate complies with eIDAS regulations”), is there any reason not to allow that?  I understand that the browsers may choose to ignore such a new OID (for example, the browsers may decide “we will not give this eIDAS OID cert any special UI in the browser), but is there any technical reason for prohibiting CAs from including such extra OIDs in their certificates if they want to?  Do we need to limit what OIDs can be included in an end-entity certificate - and if so, why?

I think Jody gave me an explanation of why extra OIDs could be problematic for Windows, but I can’t remember what it was.

What about Apple, Mozilla, Google?  Any problems with CAs including an extra OID in a certificate?

If there are no problems, I think we should perhaps amend the BRs to make it clear extra OIDs are permitted.

BR 1.2. DOCUMENT NAME AND IDENTIFICATION
This certificate policy (CP) contains the requirements for the issuance and management of publicly‐trusted
SSL certificates, as adopted by the CA/Browser Forum.
The following Certificate Policy identifiers are reserved for use by CAs as an optional means of asserting
compliance with this CP (OID arc 2.23.140.1.2) as follows:
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) baselinerequirements(
2) domain‐validated(1)} (2.23.140.1.2.1);
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) baselinerequirements(
2) organization‐validated(2)} (2.23.140.1.2.2); and
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1) baselinerequirements(
2) individual‐validated(3)} (2.23.140.1.2.3).

7.1.2.4. All Certificates
All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a
Certificate that contains a keyUsage flag, extendedKeyUsage value, Certificate extension, or other data not
specified in section 7.1.2.1, 7.1.2.2, or 7.1.2.3 unless the CA is aware of a reason for including the data in the
Certificate.
CAs SHALL NOT issue a Certificate with:
a. Extensions that do not apply in the context of the public Internet (such as an extendedKeyUsage
value for a service that is only valid in the context of a privately managed network), unless:
i. such value falls within an OID arc for which the Applicant demonstrates ownership, or
ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or
b. semantics that, if included, will mislead a Relying Party about the certificate information verified by
the CA (such as including extendedKeyUsage value for a smart card, where the CA is not able to verify
that the corresponding Private Key is confined to such hardware due to remote issuance).

7.1.6. Certificate Policy Object Identifier
7.1.6.1. Reserved Certificate Policy Identifiers
This section describes the content requirements for the Root CA, Subordinate CA, and Subscriber Certificates,
as they relate to the identification of Certificate Policy.
The following Certificate Policy identifiers are reserved for use by CAs as an optional means of asserting
compliance with these Requirements as follows:
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1)
baseline‐requirements(2) domain‐validated(1)} (2.23.140.1.2.1), if the Certificate complies with
these Requirements but lacks Subject Identity Information that is verified in accordance with Section
3.2.2.1 or Section 3.2.3.
If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName,
streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1)
baseline‐requirements(2) organization‐validated(2)} (2.23.140.1.2.2), if the Certificate complies with
these Requirements and includes Subject Identity Information that is verified in accordance with
Section 3.2.2.1.
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140) certificate‐policies(1)
baseline‐requirements(2) individual‐validated(3)} (2.23.140.1.2.3), if the Certificate complies with
these Requirements and includes Subject Identity Information that is verified in accordance with
Section 3.2.3.
If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName,
localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the
extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field. If the Certificate
asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or
givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii)
stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject
field.

7.1.6.4. Subscriber Certificates
A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA,
in the Certificate’s certificatePolicies extension that indicates adherence to and compliance with these
Requirements. CAs complying with these Requirements MAY also assert one of the reserved policy OIDs in
such Certificates.
The issuing CA SHALL document in its Certificate Policy or Certification Practice Statement that the
Certificates it issues containing the specified policy identifier(s) are managed in accordance with these
Requirements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160821/9a7d7be1/attachment-0002.html>