On 24/01/2017 22:47, Kurt Roeckx wrote:
On Mon, Jan 23, 2017 at 04:01:58PM -0800, Peter Bowen wrote:
On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson <[email protected]> wrote:
Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only apply
to end-entity certificates?
If yes, where does it specify that in the document?
This has come up in a few CA requests, due to errors we get when we run Kurt's
x509lint test.
Example:
https://github.com/kroeckx/x509lint/issues/17
https://bugzilla.mozilla.org/show_bug.cgi?id=1099311#c17
Kathleen,
I believe that it does not apply to CA certificates, but I can see how
this is not clear.
To help understand the intent of this section, it is helpful to look
at the history of the section. 7.1.4.2 has not been substantially
changed since BR 1.3.0, which was the version that switched from the
old structure to the new RFC 3647 structure. As seen in
https://cabforum.org/wp-content/uploads/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf,
7.1.4.2 was previously section 9.2 and 7.1.4.1 was previously section
9.1.
In 2015, the CA/Browser Forum passed ballot 148
(https://cabforum.org/2015/04/02/ballot-148-issuer-field-correction/)
which changed sections 9.1 and 9.2 and appears to clearly call out
that the intent is to require different content in the subjects for CA
certificates than end-entity certificates.
It seems that for all of 1.2.4, 1.2.5 and 1.4.2 it's really the
same text, just in different section numbers.
But looking at this again, the current 7.1.4.3 is about
Subordinate CA certificates, so it could make sense that 7.1.4.2
(that starts with etact the same text) is not about all
certificates.
But I see no good reason why some of the rules applied to EE
certificates shouldn't be applied to CA certificates.
Well there are obvious examples, such as CA certificates being allowed
to have CA:TRUE, and less obvious examples, such as CA certificates
sometimes having much longer validity periods, even if this is only
used for things like revocation and timestamp validity after the
associated EE certificates expire.
Those obvious examples make it important to explicitly consider and
decide which of the EE requirements happen to be the same for CA
certs, and not just blindly copy rules.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
