[Servercert-wg] [External Sender] Question regarding the id-ad-caIssuers accessMethod URI

Adriano Santoni adriano.santoni at staff.aruba.it
Thu Apr 25 07:43:44 UTC 2024


Hi,

IMO, including an HTTPS URI in the *id-ad-caIssuers* accessMethod is at 
least a bad practice and very unwise (if done on purpose), as it may 
give rise to unbounded loops, as it is clearly explained in RFC5280:

> CAs SHOULD NOT include URIs that specify https, ldaps, or similar
> schemes in extensions.  CAs that include an https URI in one of these
> extensions MUST ensure that the server's certificate can be validated
> without using the information that is pointed to by the URI.  Relying
> parties that choose to validate the server's certificate when
> obtaining information pointed to by an https URI in the
> cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess
> extensions MUST be prepared for the possibility that this will result
> in unbounded recursion.

That said, whether it amounts to a violation of the BRs it's a different 
matter. Generally speaking, since the requirement for the 
*id-ad-caIssuers* accessMethod is expressed in the same way as for the 
*id-ad-ocsp* accessMethod and for *distributionPoint* (see 7.1.2.11.2), 
therefore if using an "https" URI is indeed a violation it should be so 
for all three cases.

It should also be noted that PKILINT contains a validator for checking 
that the URI in the *id-ad-caIssuers* accessMethod starts with "http://".

Adriano


Il 25/04/2024 08:10, Dimitris Zacharopoulos (HARICA) via Servercert-wg 
ha scritto:
> NOTICE: Pay attention - external email - Sender is 
> 0100018f13e0c532-cd7a8efa-701a-498e-9678-2ba113a48abf-000000 at amazonses.com 
>
>
>
>
>
> Dear Members,
>
> I have a quick question regarding the |id-ad-caIssuers| accessMethod URI.
>
> Section 4.2.2.1 of RFC 5280 
> <https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.2.1> states 
> that:
>
>> When the|id-ad-caIssuers|accessMethod is used, at least one instance 
>> SHOULD specify an accessLocation that is an HTTP [RFC2616] or LDAP 
>> [RFC4516] URI.
>
> RFC 2616 does not support https. That was introduced in a superseded 
> version.
>
> Since RFC 5280 points to RFC 2616, based on past discussions about 
> strictly adhering to RFC 5280 despite the existence of superseded 
> versions, I believe that the proper interpretation of this requirement 
> is that the "http" scheme is allowed and "https" is not.
>
> Do Members agree with that interpretation?
>
> If this is the correct interpretation, would it be considered a 
> violation of the BRs if a CA or end-entity certificate contains 
> https:// URL in the id-ad-caIssuers accessMethod ?
>
> I'm afraid that this might not be as clear in the BRs as it should be, 
> so if people agree with the above, we should probably update section 
> 7.1.2.7.7 
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#71277-subscriber-certificate-authority-information-access> 
> (and possibly other parts) to explicitly state that the allowed scheme 
> is "http" and not "https", just like we do for the CRLDP in section 
> 7.1.2.11.2 
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#712112-crl-distribution-points> 
> .
>
>
> Thank you,
> Dimitris.
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240425/320b6987/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240425/320b6987/attachment-0001.p7s>


More information about the Servercert-wg mailing list