[cabfpub] Misissuance of certificates

Peter Bowen pzb at amzn.com
Wed Jan 20 23:05:56 UTC 2016

> On Jan 20, 2016, at 12:51 PM, Ryan Sleevi <sleevi at google.com> wrote:
> On Wed, Jan 20, 2016 at 11:57 AM, Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>> wrote:
> What would you think about defining a new term, “Compliance Date”?
> Compliance Date: The Compliance Date of a certificate is the earlier of the notBefore field or when the CA signs the certificate
> Then it can be used to make it very clear:
> These Requirements apply to all Certificates with a Compliance Date of or after February 15, 2013 that include id_kp_serverAuth ( in the extended key usage extension. Additionally, these Requirements apply to all Certificates with a Compliance Date of or after June 30, 2016 that either do not include the extended key usage extension or include anyExtendedKeyUsage ( in the extended key usage extension.
> This seems to weaken Jeremy's proposal - but perhaps it's merely bringing clarity to what was already a weak proposal.

I admit that it might weaken it in one area — by saying the Compliance Date is the earlier of notBefore or CA signing, it would allow a CA to issue a certificate now with a notBefore of Feb 1, 2013 and avoid the rule.  This is possible because there is no rule about how the notBefore date relates to the date when the CA signs the certificate.

> That is, it leaves an unknown portion of non-BR certificates out there for an unknown number of years (since, by being non-BR, we cannot presume that the certificates themselves will expire within the 39 months prescribed by the BRs, nor the 60 months previously allowed)
> The problem with the Web PKI is determining what the known-knowns are, but also trying to map out the unknown-unknowns - there's a vast portion of 'hidden' certificates which do not comply to the BRs, but were issued by BR conforming roots. The past two years of Mozilla's CA communications demonstrate Mozilla's own attempts to map out the scope and impact of such certificates - even when the requirements were much clearer.

From CT logs, it seems that a number of CAs were issuing certificates with validity periods of up to 10 years prior to the BRs coming into effect.  It doesn’t seem clear to me that this was against any rule.

> If we adopt a position of "go forward" of June 30, 2016 being when anything in scope (and there may still be some wording tweaks needed here to clarify that issuance from a CA that has the EKUs but leaves that do not have EKUs, the leaf is _still in scope_), I think we should also look at an internal-server-name like "revoke-or-disclose" sunset clause.
> The end goal being that, for roots and intermediates that conform to the BRs, the entire population of certificates - and the requirements that they were expected to abide by - can be known.

I think that putting in some compliance dates is a start.  Yes, it might not be great, but at least it should create a closed set of certificates rather than continuing to have ambiguity.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160120/85765179/attachment-0003.html>

More information about the Public mailing list