On Mon, Jan 23, 2017 at 04:01:58PM -0800, Peter Bowen wrote: > On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson <[email protected]> wrote: > > Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only > > apply to end-entity certificates? > > > > If yes, where does it specify that in the document? > > > > This has come up in a few CA requests, due to errors we get when we run > > Kurt's x509lint test. > > Example: > > https://github.com/kroeckx/x509lint/issues/17 > > https://bugzilla.mozilla.org/show_bug.cgi?id=1099311#c17 > > Kathleen, > > I believe that it does not apply to CA certificates, but I can see how > this is not clear. > > To help understand the intent of this section, it is helpful to look > at the history of the section. 7.1.4.2 has not been substantially > changed since BR 1.3.0, which was the version that switched from the > old structure to the new RFC 3647 structure. As seen in > https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf, > 7.1.4.2 was previously section 9.2 and 7.1.4.1 was previously section > 9.1. > > In 2015, the CA/Browser Forum passed ballot 148 > (https://cabforum.org/2015/04/02/ballot-148-issuer-field-correction/) > which changed sections 9.1 and 9.2 and appears to clearly call out > that the intent is to require different content in the subjects for CA > certificates than end-entity certificates.
It seems that for all of 1.2.4, 1.2.5 and 1.4.2 it's really the same text, just in different section numbers. But looking at this again, the current 7.1.4.3 is about Subordinate CA certificates, so it could make sense that 7.1.4.2 (that starts with etact the same text) is not about all certificates. But I see no good reason why some of the rules applied to EE certificates shouldn't be applied to CA certificates. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
