[Servercert-wg] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)

Thu Mar 5 06:54:46 MST 2020

On Thu, Mar 5, 2020 at 8:05 AM Keshwarsingh Nadan <kn at millenium.net.mu>
wrote:

> >RFC5280 is a standard. RFC5280 doesn't really limit the CA for signing
> things, it leaves that to the CA to have a policy about it, and the user to
> review that policy. But RFC5280 does have some >requirements about things
> like the format of a certificates.
>
> The question about " Can it sign a "thing" (as I hesitate to call it a
> Certificate) that violates RFC 5280?" was clear and unambiguous, and I
> believe I provided a fair and reasonable input. I refer you to (i) RFC 1796
> (ii) Section 2 of RFC 7841 and (iii) RFC 7100
>
> RFCs do not lay down or enforce any requirements; those are merely
> recommendations on a "to adopt," and "to enhance" basis.
>
> >But we're discussion the BRs here. It places limits on the policy of the
> CA, among other things which certicates it can sign. It clearly can not
> sign anything it wants.
>
> Correct, not to confuse between BRs enforceability and RFCs.
>
>
I'm not sure I understand, but it seems you're confusing the BRs and the
RFCs, and I'm not quite sure the root of that confusion.

The statement that RFC 5280 is not a Standard is something that is somewhat
prepostorous, and it's certainly worthy of expansion. For example, perhaps
you only consider documents drafted by ITU-T or ETSI to be standards,
perhaps you only view BCP as standards, or something else. You mention the
workmode of the IETF in your reply, but also seemingly ignore the document
track.

However, much of that is a distraction from the core discussion, which is
why it's rather odd you'd bring it up and somewhat difficult to square. As
a policy document to capture root program requirements in a way that
facilitates the ability for independent third-party audits, the Baseline
Requirements make a normative dependency on the profile captured of RFC
5280. Even if RFC 5280 were, say, an individual submission or even an
expired draft, the incorporation by the Baseline Requirements still means
that the question I raised still stands on it merits. Put differently, your
answer to my question makes no sense, because regardless of the document
track, one can easily and readily evaluate whether or not a Certificate
conforms to the profile captured in RFC 5280, which is normatively required
by the common auditable criteria, which capture the common requirement of
Root Programs.

Thus, I don't think it's quite a fair or reasonable input, but I
acknowledge, I could be missing some important point you're trying to
highlight here. I appreciate your further clarifications provided to Kurt,
but it seems to only suggest more confusion, rather than the clarity I
believe you're trying to provide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200305/ddd7534e/attachment.html>