[cabfpub] SRV Ballot - the revenge

Erwann Abalea Erwann.Abalea at docusign.com
Wed Sep 28 05:44:01 MST 2016 

Bonjour,

Looking from the other side (relying party), consider a CA certificate having a NameConstraints extension without the otherName:SRVName type, and a subscriber certificate containing such a otherName:SRVName entry in the SAN.

X.509/RFC5280 validation rules say that the subscriber certificate is valid. What the proposed text says is that if the CA is public then this is a fault, just like issuing certificates with other kind of otherName entries or non qualified hostnames. Not perfect, but we already did it.

The subject of Technically Constrained CAs was raised before, I raise it here again, there is no standard way for a CA to issue a subordinate CA certificate and technically deny its ability to issue subscriber certificates with any kind of SRVName entries.
I asked the IETF/PKIX group (or what remains) in July about this issue, the only 2 proposed solutions were:

1/ have a NC:permittedSubtrees containing an invalid SRVName (« _invalid.invalid »)
2/ have a NC:excludedSubtrees (or permitted?) containing a non defined value, SRVName = « _ »; it can only work if « _ » is considered the same for every application, either « matches everything » or « rejects everything » (everything being service name AND domain name)


Cordialement,
Erwann Abalea

Le 27 sept. 2016 à 23:11, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>> a écrit :

Resurrecting this ballot after it’s long hiatus.  It’s essentially the same, but I removed the underscore modification.

-- MOTION BEGINS –

Effective immediately, the follow changes are made to the Baseline Requirements:

A)    Section 4.2.2 of the Baseline Requirements is replaced with “No Stipulation”

B)    Add the following definition to Section 1.6.1:
Wildcard Domain Name: A Domain Name formed by prepending '*.' to a FQDN.

C)    Section 7.1.4.2.1 is amended as follows:
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name, Wildcard Domain Name, or an iPAddress containing the IP address of a server, or an otherName of type SRVName as defined in RFC4985. An entry MUST NOT be an Internal name or Reserved IP Address. The CA MUST confirm the entry as follows:
a)      For a Fully‐Qualified Domain Name or Wildcard Domain Name entry, the CA MUST verify the entry in accordance with Section 3.2.2.4;
b)     For a SRVName entry, the CA MUST verify the Name portion of the entry in accordance with Section 3.2.2.4; and
c)      For an IP address entry, the CA MUST verify the entry in accordance with Section 3.2.2.5 or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are permitted.

As exceptions to RFC5280 and X.509, dNSName entries MAY contain Wildcard Domain Names. SRVName entries MUST NOT contain Wildcard Domain Names.

If a name constrained CA has a dNSName constraint but does not have a constraint for SRVNames, the CA MUST NOT issue certificates containing SRVNames.

As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CAsSHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name. Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an Internal Name using onion as the right‐most label in an entry in the subjectAltName Extension or commonName field unless such Certificate was issued in accordance with Appendix F of the EV Guidelines.

---- END BALLOT ----



<SRV Name Proposal.pdf>_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160928/59e82dd5/attachment-0001.html

More information about the Public mailing list