[Servercert-wg] [EXTERNAL]Re: Critical Name Constraints (Was: Re: Question on BR 3.2.2.6)

[Keshwarsingh Nadan]

On Thu, Mar 5, 2020 at 8:05 AM Keshwarsingh Nadan <kn at millenium.net.mu<mailto:kn at millenium.net.mu>> wrote:
>RFC5280 is a standard. RFC5280 doesn't really limit the CA for signing things, it leaves that to the CA to have a policy about it, and the user to review that policy. But RFC5280 does have some >requirements about things like the format of a certificates.

The question about " Can it sign a "thing" (as I hesitate to call it a Certificate) that violates RFC 5280?" was clear and unambiguous, and I believe I provided a fair and reasonable input. I refer you to (i) RFC 1796 (ii) Section 2 of RFC 7841 and (iii) RFC 7100

RFCs do not lay down or enforce any requirements; those are merely recommendations on a "to adopt," and "to enhance" basis.

>But we're discussion the BRs here. It places limits on the policy of the CA, among other things which certicates it can sign. It clearly can not sign anything it wants.

Correct, not to confuse between BRs enforceability and RFCs.

I'm not sure I understand, but it seems you're confusing the BRs and the RFCs, and I'm not quite sure the root of that confusion.

The statement that RFC 5280 is not a Standard is something that is somewhat prepostorous, and it's certainly worthy of expansion. For example, perhaps you only consider documents drafted by ITU-T or ETSI to be standards, perhaps you only view BCP as standards, or something else. You mention the workmode of the IETF in your reply, but also seemingly ignore the document track.

However, much of that is a distraction from the core discussion, which is why it's rather odd you'd bring it up and somewhat difficult to square. As a policy document to capture root program requirements in a way that facilitates the ability for independent third-party audits, the Baseline Requirements make a normative dependency on the profile captured of RFC 5280. Even if RFC 5280 were, say, an individual submission or even an expired draft, the incorporation by the Baseline Requirements still means that the question I raised still stands on it merits. Put differently, your answer to my question makes no sense, because regardless of the document track, one can easily and readily evaluate whether or not a Certificate conforms to the profile captured in RFC 5280, which is normatively required by the common auditable criteria, which capture the common requirement of Root Programs.

Thus, I don't think it's quite a fair or reasonable input, but I acknowledge, I could be missing some important point you're trying to highlight here. I appreciate your further clarifications provided to Kurt, but it seems to only suggest more confusion, rather than the clarity I believe you're trying to provide.

I can understand and appreciate your perspective. It’s fair.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200305/af8b5ad0/attachment.html>