[Servercert-wg] Clarifications to Certificate Policy Requirements

Ryan Sleevi sleevi at google.com
Thu Jul 11 12:59:26 MST 2019


The questions@ list recently got a question proposing some changes to
Sections 7.1.2.3 and 7.1.6.4 of the Baseline Requirements.

7.1.2.3. Subscriber Certificates contains the following:

a. certificatePolicies
> This extension MUST be present and SHOULD NOT be marked critical.
>     certificatePolicies:policyIdentifier (Required)
>      A Policy Identifier, defined by the issuing CA, that indicates a
> Certificate Policy asserting the issuing CA's adherence to and compliance
> with these Requirements.



The following extensions MAY be present:
> certificatePolicies:policyQualifiers:policyQualifierId (Recommended)
>     *   id-qt 1 [RFC 5280].
> certificatePolicies:policyQualifiers:qualifier:cPSuri (Optional)
>     * HTTP URL for the Subordinate CA's Certification Practice Statement,
> Relying Party Agreement or other pointer to online information provided by
> the CA.


7.1.6.4 Subscriber Certificates contains the following

> A Certificate issued to a Subscriber MUST contain one or more policy
> identifier(s), defined by the Issuing CA,
> in the Certificate’s certificatePolicies extension that indicates
> adherence to and compliance with these
> Requirements. CAs complying with these Requirements MAY also assert one of
> the reserved policy OIDs in
> such Certificates.
> The issuing CA SHALL document in its Certificate Policy or Certification
> Practice Statement that the
> Certificates it issues containing the specified policy identifier(s) are
> managed in accordance with these
> Requirements.


Here, the concern highlighted is with respect to the "defined by the
Issuing CA" clause. Is this an OID within the CAs' own namespace (i.e. an
OID they have assigned), or is this permitted to be any OID, including
those captured within 7.1.6.4, provided that the CA "defines" it (e.g. via
their CP/CPS). That is, the confusion is whether defines means
"assigns/registers" or whether it means "documents/designates"

If the view is "documents/designates", then there's a similar question as
to how to read 7.1.6.4. That is, if the designated OID is the CABForum
reserved OID, and only that reserved OID, is that acceptable? 7.1.6.4
states "MAY also", but it's unclear whether that also means "as an
alternative OR in addition to" or only "in addition to".


Somewhat related, there have been separate discussions with respect to
7.1.2.2, Subordinate CA Certificates, which reads

> a. certificatePolicies
> This extension MUST be present and SHOULD NOT be marked critical.

    certificatePolicies:policyIdentifier (Required)



The following fields MAY be present if the Subordinate CA is not an
> Affiliate of the entity that controls the
> Root CA.
> certificatePolicies:policyQualifiers:policyQualifierId (Optional)
>     * id-qt 1 [RFC 5280].
> certificatePolicies:policyQualifiers:qualifier:cPSuri (Optional)
>     * HTTP URL for the Root CA's Certificate Policies, Certification
> Practice Statement, Relying Party
> Agreement, or other pointer to online policy information provided by the CA


Here, the question is whether a CA is permitted to include a cPSuri for a
subordinate CA if it is operated by an Affiliate. The issue is that, at
present, the language reads that the cPSuri may only be included if it's
not operated by an entity that controls the Root. Several members of this
Forum have done so, and thus there's a question about whether this is
misissuance of such subordinate CAs.

Without taking a position one way or the other, I'm very curious to know
how folks interpret these sections, and whether there are other
interpretations that have been overlooked for these sections beyond the two
highlighted for each of them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190711/d12cd7f2/attachment.html>


More information about the Servercert-wg mailing list