On 22/11/2023 8:16 μ.μ., Bruce Morton via Cscwg-public wrote:
I think a separate ballot is required. An alternative would be a
cleanup ballot, but I am not sure we have much content for a cleanup
ballot.
Also, this information is missing from
https://cabforum.org/object-registry/: codesigning-requirements(4)
timestamping(2) — 2.23.140.1.4.2 (Timestamp Certificate issued in
compliance with the Code Signing Baseline Requirements). Who can
update this page?
Done.
Dimitris.
Thanks, Bruce.
*From:*Martijn Katerbarg <[email protected]>
*Sent:* Wednesday, November 22, 2023 1:01 PM
*To:* Bruce Morton <[email protected]>; [email protected]
*Subject:* [EXTERNAL] Re: MUST overridden by a MAY - Subordinate CA
policies
Hey Bruce,
You’re pretty much taking the proposed language in my head and putting
it on paper 😊. Same for the listing above, for Code Signing CA
Certificates.
Do we think a separate ballot is more appropriate for this? I’d be a
minor one, then again, there’s no shortage of ballot numbers to use.
Regards,
Martijn
*From: *Bruce Morton <[email protected]>
*Date: *Wednesday, 22 November 2023 at 18:03
*To: *Martijn Katerbarg <[email protected]>,
[email protected] <[email protected]>
*Subject: *RE: MUST overridden by a MAY - Subordinate CA policies
CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender
and know the content is safe.
Hi Martijn,
I agree that the language needs improvement. It might be better if the
requirement was:
A Certificate issued after 31 March 2022 to a Subordinate CA that
issues Timestamp Certificates and is an Affiliate of the Issuing CA
MUST include one of the following:
1. The CA/Browser Forum reserved identifier (2.23.140.1.4.2)to
indicate the Subordinate CA’s compliance with these Requirements; OR
2. The “anyPolicy” identifier (2.5.29.32.0).
Does that work? If so, then maybe we should also cleanup the whole
section. Also, we might also consider deleting “to indicate the
Subordinate CA’s compliance with these Requirements”.
Thanks, Bruce.
*From:*Cscwg-public <[email protected]> *On Behalf Of
*Martijn Katerbarg via Cscwg-public
*Sent:* Wednesday, November 22, 2023 11:07 AM
*To:* [email protected]
*Subject:* [EXTERNAL] [Cscwg-public] MUST overridden by a MAY -
Subordinate CA policies
All,
CSBR section 7.1.6.3 states:
”A Certificate issued to a Subordinate CA that issues Code Signing
Certificates and is an Affiliate of the Issuing CA:
1. MUST include the CA/Browser Forum reserved identifier specified in
Section 7.1.6.1
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0>
to indicate the Subordinate CA's compliance with these
Requirements, and
2. MAY contain the "anyPolicy" identifier (|2.5.29.32.0|) in place of
an explicit policy identifier.
A Certificate issued after 31 March 2022 to a Subordinate CA that
issues Timestamp Certificates and is an Affiliate of the Issuing CA:
1. MUST include the CA/Browser Forum reserved identifier specified in
Section 7.1.6.1
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0>
to indicate the Subordinate CA’s compliance with these
Requirements, and
2. MAY contain the “anyPolicy” identifier (|2.5.29.32.0|) in place of
an explicit policy identifier.”
I find there’s a few issues with this:
* “MUST include the CA/Browser Forum reserved identifier specified
in Section 7.1.6.1
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0>”,
seems to state there’s only one policy OID to use, while in fact
there are 3 in the named section, 2 which are for code signing
certificates. This is a minor issue though and could be fixed in a
cleanup ballot.
* More concerning I find the MUST and MAY language. If we take the
language related to CA Certificates for Code Signing Certificates,
what does this language actually state? Should this be interpreted as:
o MUST include a CABF OID and MAY additionally contain the
“anyPolicy” OID.
or does it state:
o MUST include either a CABF OID or the “anyPolicy” OID?
I would like to think the intent here is to allow CA Certificates with
just the “anyPolicy” OID, but at the same time, a MAY overriding a
MUST, seems counterproductive.
Any thoughts on this?
Regards,
Martijn
/Any email and files/attachments transmitted with it are intended
solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not
copy, distribute or disclose of the information it contains. _Please
notify Entrust immediately and delete the message from your system._/
_______________________________________________
Cscwg-public mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/cscwg-public
_______________________________________________
Cscwg-public mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/cscwg-public
