[cabfpub] Applicability of BRs to Client Authentication certificates

Jeff Ward jward at bdo.com
Thu Apr 12 17:11:56 UTC 2018

I am submitting this request on behalf of the WebTrust Task Force.  We would like to seek clarification from the CA/B Forum on the applicability of the Baseline Requirements for certificates that chain to a Root in a browser root store, which are only used for TLS Web Client Authentication (i.e. the EKU includes and does not include

Section 1.1 Overview states, in part, "These Requirements only address Certificates intended to be used for authenticating servers accessible through the Internet".

This suggests that the BRs only apply to TLS Web Server Authentication.

However, Section, Subscriber Certificate (extKeyUsage) states, in part, "Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present.

This is quite clear that they do apply to certificates that are only for TLS Web Client Authentication, but this contradicts the Overview section.

Additionally, the word 'server' is used throughout the BRs without an actual definition, and it is therefore unclear of the applicability of these sectiosn to certificates that are only for TLS Web Client Authentication.

For example, Section Subject Alternative Name Extension:

"Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. Wildcard FQDNs are permitted."

It is ambiguous as to whether this apples to a Client Authentication-only certificate. Additionally, there are questions on whether additional entry types (for example, DirName) may be acceptable in a Client Authentication-only certificate.

Our ask of the CA/B Forum would be to:

1.    Clarify whether or not the BRs apply to Client Authentication-only certificates, and update the BRs to explicitly state whether they apply or don't.
2.    If they do apply, then to update the BRs to ensure there is no ambiguity between a 'server' and a 'client', and if any updates need to be made to address different requirements for Client Authentication-only certificates.

Thank you for your assistance.


National Managing Partner Third Party Attestation (SOC/WebTrust/Cybersecurity)
314-889-1220 (Direct)    347-1220 (Internal)
314-889-1221 (Fax)
jward at bdo.com<mailto:jward at bdo.com>

101 S Hanley Rd, #800
St. Louis, MO 63105

Please consider the environment before printing this e-mail

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms.

BDO is the brand name for the BDO network and for each of the BDO Member Firms.


The contents of this email and any attachments to it may contain privileged and confidential information from BDO USA, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO USA, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies hereof. If you have received this e-mail in error, please notify BDO USA, LLP by e-mail immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180412/a32919c0/attachment-0002.html>

More information about the Public mailing list