Re: Question about Baseline Requirements section #7.1.4.2

Mon, 23 Jan 2017 22:52:08 -0800 

On 24/1/2017 2:01 πμ, Peter Bowen wrote:

On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson <[email protected]> wrote:

Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only apply 
to end-entity certificates?

If yes, where does it specify that in the document?

This has come up in a few CA requests, due to errors we get when we run Kurt's 
x509lint test.
Example:
https://github.com/kroeckx/x509lint/issues/17
https://bugzilla.mozilla.org/show_bug.cgi?id=1099311#c17

Kathleen,

I believe that it does not apply to CA certificates, but I can see how
this is not clear.

To help understand the intent of this section, it is helpful to look
at the history of the section.  7.1.4.2 has not been substantially
changed since BR 1.3.0, which was the version that switched from the
old structure to the new RFC 3647 structure.  As seen in
https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf,
7.1.4.2 was previously section 9.2 and 7.1.4.1 was previously section
9.1.

In 2015, the CA/Browser Forum passed ballot 148
(https://cabforum.org/2015/04/02/ballot-148-issuer-field-correction/)
which changed sections 9.1 and 9.2 and appears to clearly call out
that the intent is to require different content in the subjects for CA
certificates than end-entity certificates.

I agree that the BRs could be clearer, but it seems to me that the
only requirements are country and organization name.

Thanks
Peter
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
I also agree with Peter. For CA Certificates, there is a more specific section (7.1.4.3 "Subject Information - Subordinate CA Certificates"). Also, the Name Forms for Root CA and Subordinate CA Certificates are described in 7.1.2.1.e and 7.1.2.2.h respectively.
The CA/B Forum Policy Review WG made some effort <https://cabforum.org/pipermail/policyreview/2016-April/000272.html> to clarify this by merging information between these sections, but there was not enough support to proceed. 


Dimitris.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to