[cabf_validation] Section 7.1.2.10.5 CA Certificate Certificate Policies for cross signing certificates
Ben Wilson
bwilson at mozilla.com
Fri Sep 6 15:43:22 UTC 2024
Mozilla will endorse.
On Fri, Sep 6, 2024 at 7:21 AM Paul van Brouwershaven via Validation <
validation at cabforum.org> wrote:
> Following yesterday's discussion in the validation subcommittee
> teleconference, we are now seeking two members to endorse the ballot.
> Feedback is also welcome, either here or on the pull request.
>
> ### Purpose of the Ballot
>
> This ballot duplicates the content of section 7.1.2.10.5 (CA Certificate
> Certificate Policies) into section 7.1.2.2 (Cross-Certified Subordinate CA
> Certificate Profile) as section 7.1.2.2.6 (Cross-Certified Subordinate CA
> Certificate Certificate Policies), modifying the requirement from "MUST
> contain exactly one Reserved Certificate Policy Identifier" to "MUST
> include at least one Reserved Certificate Policy Identifier" to allow the
> inclusion of multiple Reserved Certificate Policy Identifiers in a
> Cross-Certified Subordinate CA Certificate.
>
> The following motion has been proposed by Paul van Brouwershaven (Entrust)
> and endorsed by XXX (XXX) and XXX (XXX).
>
> GitHub pull request for this ballot:
> https://github.com/cabforum/servercert/pull/544
>
> ### Motion begins
>
> MODIFY the "Baseline Requirements for the Issuance and Management of
> Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements")
> based on Version 2.0.6 as specified in the following redline:
>
>
> https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...89f80028b40ce6a1a5c52b406d37e5534460a1a1
>
> ### Motion ends
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> - Start time: TBC
> - End time: TBC
>
> Vote for approval (7 days)
>
> - Start time: TBC
> - End time: TBC
> ------------------------------
> *From:* Validation <validation-bounces at cabforum.org> on behalf of Paul
> van Brouwershaven via Validation <validation at cabforum.org>
> *Sent:* Thursday, September 5, 2024 16:40
> *To:* CABforum3 <validation at cabforum.org>
> *Subject:* [EXTERNAL] [cabf_validation] Section 7.1.2.10.5 CA Certificate
> Certificate Policies for cross signing certificates
>
> We would like to clarify the following requirement in section 7. 1. 2. 10.
> 5 CA Certificate Certificate Policies, specifically for cross signing
> certificates. RFC 5280 states that you can have one CertPolicyId within the
> PolicyInformation, see below:
> We would like to clarify the following requirement in section 7.1.2.10.5
> CA Certificate Certificate Policies, specifically for cross signing
> certificates.
>
> RFC 5280 states that you can have one CertPolicyId within the
> PolicyInformation, see below:
>
> *certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation*
>
> *PolicyInformation ::= SEQUENCE {*
> * policyIdentifier **CertPolicyId**,*
> * policyQualifiers SEQUENCE SIZE (1..MAX) OF*
> * PolicyQualifierInfo OPTIONAL }*
>
> *CertPolicyId **::= OBJECT IDENTIFIER*
>
> Section 7.1.2.10.5 of the TLS BR states for the policyIdentifier:
>
> *The CA MUST include **at least one** Reserved Certificate Policy
> Identifier (see Section 7.1.6.1) associated with the given Subscriber
> Certificate type (see Section 7.1.2.7.1) directly or transitively issued by
> this Certificate.*
>
> This 'at least one' seems to contradict RFC 5280 which indicates that we
> can only have one policyIdentifier in the PolicyInformation sequence.
>
> Then at the bottom of this section the TLS BRs states that entire
> certificate policies extension MUST contain exactly one Reserved
> Certificate Policy Identifier:
>
> *Regardless of the order of PolicyInformation values, the Certificate
> Policies extension **MUST contain exactly one** Reserved Certificate
> Policy Identifier.*
>
> While we can repeat the PolicyInformation within the certificatePolicies
> extension does this mean that CAs are prohibited from issuing a cross
> signing certificate (from a multi-purpose root to another multi-purpose
> root) with policy contrains that include DV, OV and EV reserved certificate
> policy identifiers. If our reading of this section is correct, this would
> mean that CAs need to issue three seperate cross signing certificates in
> that case.
>
> Paul
>
>
>
> *Any email and files/attachments transmitted with it are intended solely
> for the use of the individual or entity to whom they are addressed. If this
> message has been sent to you in error, you must not copy, distribute or
> disclose of the information it contains. Please notify Entrust immediately
> and delete the message from your system.*
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240906/c792ad3f/attachment.html>
More information about the Validation
mailing list