[Servercert-wg] [EXTERNAL] Ballot SC23: Precertificates

Ryan Sleevi sleevi at google.com
Fri Oct 25 13:44:03 MST 2019


I'll try to summarize with bullets, in the hope this would help. But
apologies if I'm not helping.

Goals:

   - This has nothing to do with requiring any CA support Certificate
   Transparency
   - This is not meant to put any normative requirements on CAs to do
   something new; that is, it is strictly to make the BRs language more
   permissive (at least, as read by some CAs), while not prohibiting anything
   they're currently doing, nor requiring through the BRs do anything
   different or new

The question this is trying to resolve is:

   - If a CA issues (and logs) a Precertificate, but does not sign an
   equivalent Certificate, do the BRs permit them to provide status
   information for that associated serial number?

The desired result is:

   - If a CA issues (and logs) a Precertificate, but does not sign an
   equivalent Certificate, the BRs clearly permit them to provide status
   information for that Precertificate, but does not require them to do so.
   - If a CA issues (and logs) a Precertificate, Root Programs can, via
   their own Root Policy, require the CA to provide status information for the
   associated serial number/Precertificate.

There are two ways, so far, identified to do this:

   - Require the CA sign an equivalent Certificate for every Precertificate
   they issue. That is, IF they log a Precertificate, THEN they MUST issue a
   matching Certificate
      - This "solves" the problem because a CA never has to worry about
      providing information for a Precertificate: because they're always
      providing information for the matching Certificate.
   - Clarify, in the BRs, that a CA MAY provide revocation information for
   the serial numbers within a Precertificate, with no further requirements.

Now, the problem with the first option is that if a CA issues a "bad"
precertificate (e.g. a precertificate for 'google.com'), they MIGHT catch
it before they've issued an actual Certificate ("post-issuance linting").
If the first option was used, it would mean they MUST misissue a
Certificate for google.com.

   - If you're a Root Program that doesn't use/care about CT, then the
   existence of the Precertificate is not a problem. However, if/once they
   issued the Certificate, it would be a Big Problem.
      - This means this option is bad for Root Programs that don't use
      CT/don't care about Precertificates, because now CAs would HAVE
to misissue
      the equivalent Certificate if they misissue a Precertificate.
   - If you're a Root Program that does use/care about CT, then there's no
   difference here, and the first option is Meh/no change.

Wayne's version is
https://github.com/cabforum/documents/compare/master...wthayer:ballot-sc23 .
This is what is called SC23.

It attempts to do the second option: trying to clarify, in the BRs, that a
CA MAY provide revocation information for the serial number within a
Precertificate. It does this by defining a Precertificate as a Certificate.
This way, the CA providing revocation information for a Precertificate is
really just providing revocation information for a Certificate, and there's
no issue.

Concerns:

   - Bruce, at Entrust, raised concerns that this would mean CAs MUST
   provide revocation information for Precertificates. This was suggested for
   a Phase-In, because it's not just a MAY, but a MUST.
   - Myself/Google raised concerns that this would have impact a variety of
   other aspects of the BRs. (This is my fault, too, since I originally helped
   Wayne try to craft the language for the Ballot, because I was unfortunately
   too optimistic we'd solve a different problem with the language as well)



In hindsight, I offered a different approach, at
https://github.com/cabforum/documents/compare/master...sleevi:2019-10-OCSP .
This is not an official Ballot

It attempts to do the second option: trying to clarify, in the BRs, that a
CA MAY provide revocation information for the serial number within a
Precertificate. It does this by continuing to say a Precertificate is not a
Certificate, but adjusting our OCSP language so that a CA MAY provide
status information for these, in addition to the status information that
they already (no change) MUST provide for Certificates.

Concerns:

   - Dimitris raised concerns about the understandability of the language,
   but those seem to have been addressed.
   - Jeremy raised the concern that it doesn't solve that second problem I
   mentioned, which is why Wayne's approach is preferable to Jeremy.
      - I'm explicitly not trying to solve the second problem with this
      draft, but I agree it's important, and have made suggestions on how to
      solve it (as a separate ballot)
   - Jeremy raised concern with language Dimitris originally proposed as a
   modification to that draft
      - I believe the substance of Jeremy's concern (
      https://cabforum.org/pipermail/servercert-wg/2019-October/001289.html
      ) is now addressed
   - Kirk raised concerns that we can't/shouldn't reference RFCs, and/or
   that we should define Precertificate.
      - However, this is keeping with our existing language and approach in
      the BRs, and the approach used in the text is extensively used elsewhere
      within the BRs.
   - Tim raised a concern that the term Precertificate should be added to
   the Definitions (1.6.1), rather than the text used.
      - This is slightly similar to Kirk's remarks; however, as with Kirk's
      remarks, the proposed language matches what we do in a number of other
      places, and with the existing text in the BRs
      - I'm not supportive of adding it to the Definitions (1.6.1) in this,
      because that runs the risk of making the second problem (the one
not being
      fixed) worse. Because it matches what we do, and doesn't make the second
      problem worse, I don't want to make Tim's suggested change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191025/816d863c/attachment-0001.html>


More information about the Servercert-wg mailing list