[cabfpub] Ballot 188 - Clarify use of term "CA" in Baseline Requirements

Dimitris Zacharopoulos jimmy at it.auth.gr
Wed Mar 1 07:36:42 UTC 2017 

On 1/3/2017 7:16 πμ, Peter Bowen wrote:
> I realize this is super late feedback, but after doing an internal 
> review of this ballot, I think it actually makes a key issue worse 
> rather than solving it.
>
> According to the ballot, "Root CA Certificate” is now defined as "A CA 
> Certificate in which the Public Key has been digitally signed by its 
> corresponding Private Key.”  This basically means that every 
> self-signed certificate is now considered a Root CA Certificate.  This 
> definition is then used in section 6.1.1.1: "For a Key Pair generated 
> to be associated with either (i) a Root CA Certificate or (ii) a 
> Subordinate CA Certificate to be operated by an Externally Operated 
> Subordinate CA, the CA SHALL:” and in 6.1.7 when discussing the 
> limitations of key usage.
>
> This effectively means that any CA that wants to create a self-signed 
> certificate, even if it is intended to be used as a subordinate CA, 
> must follow the key generation procedure where they must have an 
> auditor witness or write a report based on watching the video tape. 
>  It also means that any key found in a self-signed certificate cannot 
> be used to sign end-entity certificates.
>
> Given the clear focus on compliance to specifications as written, I 
> think that this is a bug that can easily bite many CAs.  I know I 
> don’t want to be restricted using a CA for issuing server certificates 
> just because I happened to create a self-signed certificate for that CA.
>
> Thanks,
> Peter
>

Hi Peter,

The original (currently effective) BR language is:

"Root Certificate:  The self-signed Certificate issued by the Root CA to 
identify itself and to facilitate verification of Certificates issued to 
its Subordinate CAs."

I think, the concern you raise already exists in the current BRs. The 
current 6.1.1.1 makes things even worse: "For Root CA Key Pairs created 
after the Effective Date that are either (i) used as Root CA Key Pairs 
or (ii) Key Pairs generated for a subordinate CA that is not the 
operator of the Root CA or an Affiliate of the Root CA, the CA SHALL:"

It mixes up Root CA Key Pairs (an organization doesn't have key pairs) 
and we also get the Affiliate of the Root CA in there as well.

The new 6.1.1.1 would replace the first sentence as "For a Key Pair 
generated to be associated with either (i) a Root CA Certificate or (ii) 
a Subordinate CA Certificate to be operated by an Externally Operated 
Subordinate CA, the CA SHALL".

An improvement to address your valid concern would be to combine the 
"Root Certificate" with the "Root CA Operator" definition which is "The 
top-level Certification Authority (i.e. an organization) whose CA 
Certificate (or associated Public Key) is distributed by Application 
Software Suppliers as a trust anchor".

Perhaps changing the "Root CA Certificate" as "A CA Certificate in which 
the Public Key has been digitally signed by its corresponding Private 
Key with the intention to be distributed by Application Software 
Suppliers as a trust anchor". Would that work?


Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170301/38bc4b33/attachment-0003.html>

More information about the Public mailing list