[cabf_validation] Subject DN attributes in ICA certificates

Ryan Sleevi sleevi at google.com
Wed Jun 10 07:18:32 MST 2020 

Hi Doug,

If you'd like to propose a ballot, I think we'd be happy to draft. I think
during the lengthy discussion of this issue, in which I tried to engage
CAs, we highlighted several issues:

1) These fields are both unnecessary and harmful to the broader web. We
understand not all CAs are familiar with the issues here, and so we know
there is still discussion to be had, but any permitting of these fields
needs to be time limited
2) Similarly, we need to make sure that these intermediates are not part of
the ecosystem long term, and so a limit on how long they can issue
certificates that chain to them (e.g. similar to the discussion about
subject/issuer name comparison)
3) The list of fields is https://github.com/cabforum/documents/issues/154 and
so we still need to define validation requirements for those

On Wed, Jun 10, 2020 at 10:08 AM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Then it seems impossible to proceed with an updated profile ballot without
> clarification ballots.
>
>
>
> As a first step, I’d like to propose a ballot where we specify optional
> and required fields in Subordinate CA certificates and their associated
> validation rules.  Specifically, updates to section 7.1.4.3.1:
>
>
>
> a) CN: No change
>
> b) O: no change except to add that this field is validated in accordance
> with 7.1.4.2.2 b.
>
> c) C: No change
>
>
>
> Add:
>
>    - organizationalUnitName – optional, if present validated same as
>    7.1.4.2.2 i.
>    - stateOrProvinceName - optional, if present validated same as
>    7.1.4.2.2 f.
>    - localityName - optional, if present validated same as 7.1.4.2.2 e.
>    - streetAddress – optional, if present validated same as 7.1.4.2.2 d.
>    - postalCode – optional, if present validated same as 7.1.4.2.2 g.
>    - Possibly others as determined during discussion phase, like
>    organizationalIdentifier
>    - All others: Prohibited
>
>
>
> This permits a mix/match of the added optional fields up to the CAs
> policies and procedures, and if present, then they must be validated in
> accordance with the same rules as subscriber certificates.
>
>
>
> Is this going to fly?
>
>
>
>
>
>
>
>
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Wednesday, June 10, 2020 9:35 AM
> *To:* Doug Beattie <doug.beattie at globalsign.com>
> *Cc:* Tim Hollebeek (tim.hollebeek at digicert.com) <
> tim.hollebeek at digicert.com>; CA/Browser Forum Validation SC List <
> validation at cabforum.org>
> *Subject:* Re: Subject DN attributes in ICA certificates
>
>
>
>
>
>
>
> On Wed, Jun 10, 2020 at 8:38 AM Doug Beattie <doug.beattie at globalsign.com>
> wrote:
>
> Ryan, Tim and group,
>
>
>
> I was looking at the CA Certificate Profile page yesterday and had a
> couple of questions.
>
>
>
>    1. For ICAs, the BR lists 3 subject DN attributes and remains silent
>    on the remaining.  We see lots of CAs including other attributes
>    (State/Prov, Locality, etc.) and it’s not clear if this is a violation of
>    the BRs or not (default deny discussion…).  Even after a long thread [1],
>    we didn’t come to a consensus.   I don’t want to open that can of worms
>    here, but the question is, as we update this section with the intent of not
>    making material changes, what DN fields do we say are permitted?  Currently
>    the page says Optional in the optional/required column but says prohibited
>    further to the right (along with a reference to the DN tab for validation
>    rules which implies it’s permitted).  Does this update intend to clarify
>    what’s permitted and the associated validation rules?  Do we need a ballot
>    prior to this Profile ballot to define permitted attributes and to specify
>    the validation rules?
>
> Yes, we need a ballot to resolve this.
>
>
>
>
>    1.
>    2. Related to this, the definition of Org is currently: “This field
>    MUST be present and the contents MUST contain either the Subject CA’s name
>    or DBA as verified under Section 3.2.2.2”.  I could not find a definition
>    of “Subject CA’s Name” to know what exactly that means.  A number of CAs,
>    GlobalSign included, issue “Vanity” CAs.  Those are CA certificates in the
>    name of a 3rd party and run by the CA identified in the Certificate
>    Policy CPS link.  As we clarify the validation rules for fields in CA
>    certificates, we should be clear on what we mean by “Subject CA’s name” and
>    how these attributes are validated.  This was discussed in 2017 as part of
>    Ballot 199. Gerv said it was permitted [2], and Ben said [3] this was part
>    of the Policy WG discussion about “CA” and “CA Operator”, which I don’t
>    think was ever reflected in the BRs.
>
> That seems to be confusing CN with O name. You seem to be discussing a
> different field than Gerv, have I confused anything?
>
>
>
>
>    1.
>
> We should come to conclusion on both of these as part of clarifying the
> certificate profiles and attribute validation rules.  Do we need a ballot
> on these before we can finalize the certificate profiles?
>
>
>
> Ryan – I believe you created a list of all subject Attributes you found in
> CAs at some point.  Is that the starting point we wanted to use as the
> “whitelist” of attributes as we clarify what is permitted?
>
>
>
> Yes, and I circulated it multiple times for feedback. It was the process
> of preparing a Ballot that revealed the systemic issues that we're now
> discussing with profiles, in order to resolve matters like how you
> highlight. I just didn't expect we'd be spending so long on profiles.
>
>
>
>
>
> [1]
> https://lists.cabforum.org/pipermail/servercert-wg/2019-October/001154.html
>
> [2] https://lists.cabforum.org/pipermail/public/2017-May/010928.html
>
> [3] https://lists.cabforum.org/pipermail/public/2017-May/010936.html
>
>
>
>
>
> Doug
>
>
>
> *From:* Validation <validation-bounces at cabforum.org> *On Behalf Of *Ryan
> Sleevi via Validation
> *Sent:* Thursday, June 4, 2020 5:50 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] Sub-CAs and CP policy OIDs
>
>
>
>
>
>
>
> On Tue, May 12, 2020 at 4:09 PM Ryan Sleevi <sleevi at google.com> wrote:
>
> I had an issue flagged by a CA and went and filed
> https://github.com/cabforum/documents/issues/179 to try to capture the
> issue
>
>
>
> The TL:DR: is how to handle a sub-CA that wishes to use the CABF OIDs
> within their end-entity certificates, but is not Affiliated with the Root.
>
>
>
> Bumping this, and hoping to get some feedback from other root programs as
> to whether or not they see it as an issue with the BRs, and whether the
> attempted solution ( https://github.com/sleevi/cabforum-docs/pull/21 ) is
> aligning in the right direction. As it is, it raises questions about
> whether some Sub-CAs are in compliance, and creates challenges for issuing
> new Sub-CAs, so I want to make sure we're moving in the right direction and
> giving CAs the clarity they need from Root Programs.
>
>
>
> Separate from that more immediate issue, I'm also starting to wonder
> whether, longer-term, we should restructure how we handle these policy
> OIDs, to make it easier for Relying Party software to use
> certificatePolicies for verification, rather than the (implemented by
> Google/Mozilla/Microsoft) EKU chaining behaviour. This would likely help
> resolve some of the issues around separate trust frameworks, by more
> clearly asserting the trust framework (or frameworks) a certificate belongs
> to. That's not something we need to immediately tackle, as we can still
> smoothly transition later, but the way our current requirements are
> structured, which this PR tries to preserve, prevents that.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200610/ad712674/attachment.html>

More information about the Validation mailing list