[cabfpub] Misissuance of certificates

Rick Andrews Rick_Andrews at symantec.com
Mon Jan 18 18:45:23 UTC 2016


That discussion was challenging because each browser had different behavior regarding what it accepted as an SSL cert. I had captured some of the differences here: https://cabforum.org/wiki/Browser%20Behavior, and that's likely out of date.

-Rick

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Monday, January 18, 2016 10:22 AM
To: Peter Bowen; Doug Beattie
Cc: public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

The Forum has debated this several times in the past.  We have yet to define what "intended to be sued for authenticating servers accessible through the Internet" means.  I previously proposed this apply to all certs with serverAuth, no EKU, or anyEKU, but there were complications with the way qualified certs and PIV-I(?) certs are issued.  I'd be in favor of resurrecting the topic and passing something once and for all. 

Jeremy

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Monday, January 18, 2016 10:59 AM
To: Doug Beattie
Cc: public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates

The BRs apply to both “SSL” certificates and Extended Validation Code Signing certificates.

To me, this translates to excluding certificates which have one or more key purposes defined and do not include the id-kp-serverAuth key purpose.

The exception is where the key purposes include id-kp-codeSigning and the subject distinguished name includes an attribute of type 1.3.6.1.4.1.311.60.2.1.3, as these are EVCS certificates, so are in scope.  Given that the Code Signing BR ballot failed, other code signing certificates are not in scope.

Thanks,
Peter

> On Jan 18, 2016, at 9:16 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> 
> I thought the BRs only applied to SSL certificates, are you proposing that CAs track and report on more than just SSL certificates?  That surely goes beyond the BRs and the scope of CABF.
> 
> I personally feel strongly that the CABF, as a standards forum, should be focused on improving security and defining strong standards, but that compliance is a completely different group.  This is why we have WT for CA audits and also root programs which can levy compliance and reporting requirements on CAs.  If the Root store operators and WT want to get together and lead the definition of a compliance monitoring standard/initiative that's fine, but I'm against CABF getting into that business. 
> 
> Doug
> 
> 
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Gervase Markham
> Sent: Monday, January 18, 2016 12:01 PM
> To: Sigbjørn Vik <sigbjorn at opera.com>; public at cabforum.org
> Subject: Re: [cabfpub] Misissuance of certificates
> 
> On 18/01/16 11:58, Sigbjørn Vik wrote:
>> No. The current understanding of the scope is all certificates 
>> chaining to a root embedded in public browsers. A CA can choose 
>> itself which roots are in scope, but not individual certificates.
> 
> Technically constraining it _does_ change some things. But if I remember correctly, those relate to other root program requirements, rather than to the BRs.
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160118/81b32cf4/attachment-0001.p7s>


More information about the Public mailing list