[Servercert-wg] Ballot SC23: Precertificates
Ryan Sleevi
sleevi at google.com
Thu Oct 24 08:17:35 MST 2019
Er, crossed threads here with the subjectName for CAs thread (as you can
see from the links)
I gave the examples right in the thread. I'll spell them out more as to why
it's bad for a Precertificate to be a Certificate.
If you have a Precertificate Signing CA, it's an RFC 5280 violation to
issue the Precertificate (if it's a Certificate), because the Subject does
not match the Issuer (the Precert Signing CA) but the parent issuer (the
"actual" issuer)
If a Precertificate is a Certificate, it also means a Precertificate
Signing CA needs to provision OCSP services for those Precertificates it
issues. This is the concern that Entrust raised - it places a normative
requirement - which is what we don't want to do.
If a Precertificate is a Certificate, then it's now normative to address
these in CRLs. Again, that's a long-term goal, but not a short-term goal.
It creates issues with Precertificate Signing CAs and the scope of the BRs.
A PSCA doesn't have a id-kp-serverAuth EKU, so is it exempt now from all
requirements? What are the implications, then, to what it issues - all the
Precertificates, despite being Certificates, are nominally not in scope
because of that constraint. So the objective - of trying to clarify the
scope/expectation - isn't actually met.
Declaring Precerts-as-Certs requires carefully re-reading all of 5280, all
of 6962, and all of the BRs, to try to reach an internal consistency, when
6962 was trying to say that they are not-Certs, and to leave the
implications (the presumption of an equivalent cert) to being a Relying
Party/Policy decision.
Again, I'm in favor of making sure we've got a holistic cleanup. I've
offered a suggestion that, despite some confusion, does seem like it
provides a path for a long-term remediation and clarification that will be
systemically useful. But that doesn't solve the short-term need, while
talking with folks like Rob and Tim, I think might. That's the language
captured in
https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191024/68fa1e10/attachment.html>
More information about the Servercert-wg
mailing list