[Servercert-wg] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA

Roman Fischer roman.fischer at swisssign.com
Wed May 15 04:34:58 UTC 2024 

Dear Aaron,

Interesting line of argumentation. Wouldn’t that conclude that -every- mis-issuance of a leaf certificate would be a violation of "all certificates that it issues MUST comply with one of the following certificate profiles" and thus would require the ICA to be revoked? That can’t be the intent of the regulation, right?

Rgds
Roman

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Aaron Gable via Servercert-wg
Sent: Dienstag, 14. Mai 2024 16:59
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA

On Tue, May 14, 2024, 02:33 Dimitris Zacharopoulos (HARICA) via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

Is it ok for such an Issuing CA to create a single-purpose client authentication TLS Certificate, one that is structured according to RFC 5280 (thus can be successfully parsed by Relying Party RFC 5280-conformant software), contains an extKeyUsage extension which contains the id-kp-clientAuth and DOES NOT include the id-kp-serverAuth KeyPurposeId?

Speaking in a personal capacity, it is my opinion that no, such issuance is not acceptable.

I agree that the resulting end-entity client-auth-only certificate is out of scope of the BRs, and is not in and of itself misissued. However, the issuing intermediate itself is still in scope of the BRs, and its behavior can be contained by them. By virtue of issuing the clientAuth cert, the issuing intermediate has violated the BRs requirement that "all certificates that it issues MUST comply with one of the following certificate profiles".

One could even argue that, having issued a certificate which does not comply with a BR profile, the issuing intermediate must be revoked within 7 days, per BRs Section 4.9.1.2 (5): "The Issuing CA SHALL revoke a Subordinate CA Certificate [if...] the Issuing CA is made aware that the... Subordinate CA has not complied with this document".

Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240515/fb398d5a/attachment.html>

More information about the Servercert-wg mailing list