All,
I would like to create some written rules about using "No Stipulation"
in CP and CPS documents; e.g. what it means, and when it is OK to be used.
First, I will appreciate your thoughts about what the term "No
Stipulation" means. e.g. does it mean one or all of the following?
"No rules defined for this section"
"This section is not applicable"
"This section is not allowed"
"This section is not used"
Can "No Stipulation" mean different things based on the context of the
section?
For example
"1.3.5 Other Participants
No stipulation."
Does that mean “no other participants are allowed”?
Here is what RFC 3647 says about the term:
""
While many topics are identified, it is not necessary for a CP or a
CPS to include a concrete statement for every such topic. Rather, a
particular CP or CPS may state "no stipulation" for a component,
subcomponent, or element on which the particular CP or CPS imposes no
requirements or makes no disclosure. In this sense, the list of
topics can be considered a checklist of topics for consideration by
the CP or CPS writer.
It is recommended that each and every component and subcomponent be
included in a CP or CPS, even if there is "no stipulation"; this will
indicate to the reader that a conscious decision was made to include
or exclude a provision concerning that topic. This drafting style
protects against inadvertent omission of a topic, while facilitating
comparison of different certificate policies or CPSs, e.g., when
making policy mapping decisions.
""
It seems a little ambiguous to me, so I would like to have a written
statement about what "No Stipulation" means within CP and CPS documents,
especially in regards to SSL certificate issuance.
Here are two examples that I've seen recently.
== Example 1 ==
In this situation, the CA has one CP that covers different types of
roots, so the CPS for the different roots has the details. There is no
further detailed public documentation beyond the CPS.
In the CA's CP:
3.1.2 Need for Names to be Meaningful
No Stipulation
3.1.5 Uniqueness of Names
No Stipulation
3.2.2.1 Identity
No Stipulation
3.2.2.2 DBA/Tradename
No Stipulation
3.2.2.3 Verification of Country
No Stipulation
3.2.2.4 Validation of Domain Authorization or Control
No Stipulation
3.2.2.4.1 Validating the Applicant as a Domain Contact
No Stipulation
3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact
No Stipulation
3.2.2.4.3 Phone Contact with Domain Contact
No Stipulation
3.2.2.4.4 Constructed Email to Domain Contact
No Stipulation
3.2.2.4.5 Domain Authorization Document
No Stipulation
3.2.2.4.6 Agreed-Upon Change to Website
No Stipulation
3.2.2.4.7 DNS Change
No Stipulation
3.2.2.4.8 IP Address
No Stipulation
3.2.2.4.9 Test Certificate
No Stipulation
3.2.2.4.10 TLS Using a Random Number
No Stipulation
3.2.2.4.11 Any Other Method
This method has been retired and MUST NOT be used.
3.2.2.4.12 Validating Applicant as a Domain Contact
No Stipulation
3.2.2.5 Authentication for an IP Address
No Stipulation
3.2.2.6 Wildcard Domain Validation
No Stipulation
3.2.2.7 Data Source Accuracy
No Stipulation
3.2.2.8 CAA Records
No Stipulation
3.2.3 Authentication of Individual Identity
No Stipulation
3.2.4 Non-Verified Subscriber Information
No Stipulation
4.7.4 Notification of New Certificate Issuance to Subscriber
No stipulation
4.9.7 CRL Issuance Frequency
No Stipulation.
4.9.10 On-Line Revocation Checking Requirements
No Stipulation
5.4.6 Audit Log Accumulation System (Internal vs. External)
No Stipulation
6.1.5 Key Sizes
No Stipulation
6.2.3 Private Key Escrow
No Stipulation
6.2.5 Private Key Archival
No Stipulation
6.2.6 Private Key Transfer into or from a Cryptographic Module
No Stipulation
6.2.9 Deactivating Private Keys
No Stipulation
6.3.2 Certificate Operational Periods and Key Pair Usage Periods
No Stipulation
6.7 NETWORK SECURITY CONTROLS
No stipulation
The relevant CPS has the following sections with No Stipulation:
3.1.5 Uniqueness of Names
No Stipulation
3.2.2.5 Authentication for an IP Address
No Stipulation
3.2.2.6 Wildcard Domain Validation
No Stipulation
4.7.4 Notification of New Certificate Issuance to Subscriber
No Stipulation
5.4.6 Audit Log Accumulation System (Internal vs. External)
No Stipulation
6.2.3 Private Key Escrow
No Stipulation
6.2.5 Private Key Archival
No Stipulation
6.2.6 Private Key Transfer into or from a Cryptographic Module
No Stipulation
6.2.9 Deactivating Private Keys
No Stipulation
In this example you can see that the CA clarifies in the CPS which
domain validation methods can be used.
I'm not sure how to interpret the sections listed above that have "No
Stipulation" in both the CP and the CPS.
For instance, when I see "3.2.2.5 Authentication for an IP Address" with
"No Stipulation" in the CPS, it is not clear to me if the CA does not
allow for IP Addresses to be included in SSL certs, or if the CA just
allows any form of verification of IP Addresses.
== Example 2 ==
In the following situation, the CA does not have a separate CP document.
This one CPS document is the only public document about the CA's
policies/practices.
1.3.5 Other Participants
No stipulation.
3.2.2.4.1 Validating the Applicant as a Domain Contact
No stipulation.
3.2.2.4.5 Domain Authorization Document
No stipulation.
3.2.2.4.9 Test Certificate
No stipulation
3.2.2.4.10 TLS Using a Random Number
No stipulation
3.2.2.4.11 Any Other Method
No stipulation
3.2.2.4.12 Validating Applicant as a Domain Contact
No stipulation
3.2.4 Non-verified Subscriber Information
No stipulation.
4.2.2 Approval or Rejection of Certificate Applications
No stipulation.
4.4.1 Conduct Constituting Certificate Acceptance
No stipulation.
4.4.2 Publication of the Certificate by the CA
No stipulation.
4.5 Key Pair and Certificate Usage
No stipulation.
4.5.1 Subscriber Private Key and Certificate Usage
No stipulation.
4.5.2 Relying Party Public Key and Certificate Usage
No stipulation.
4.7 Certificate Re-key
No stipulation.
4.7.1 Circumstance for Certificate Re-key
No stipulation.
4.7.2 Who May Request Certification of a New Public Key
No stipulation.
4.7.3 Processing Certificate Re-keying Requests
No stipulation.
4.7.4 Notification of New Certificate Issuance to Subscriber
No stipulation.
4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate
No stipulation.
4.7.6 Publication of the Re-keyed Certificate by the CA
No stipulation.
4.7.7 Notification of Certificate Issuance by the CA to Other Entities
No stipulation.
4.9.8 Maximum Latency for CRLs
No stipulation.
4.9.13 Circumstances for Suspension
No stipulation.
4.9.14 Who Can Request Suspension
No stipulation.
4.9.15 Procedure for Suspension Request
No stipulation.
4.9.16 Limits on Suspension Period
No stipulation.
4.12 Key Escrow and Recovery
No stipulation.
4.12.1 Key Escrow and recovery Policy Practices
No stipulation.
5.2.4 Roles Requiring Separation of Duties
No stipulation.
5.4.4 Protection of Audit Log
No stipulation.
5.4.5 Audit Log Backup Procedures
No stipulation.
5.4.6 Audit Collection System
No stipulation.
5.7.3 Entity Private Key Compromise Procedures
No stipulation.
6.5.2 Computer Security Rating
No stipulation.
7.1.5 Name Constraints
No stipulation.
In this situation, is it reasonable to assume that the domain validation
procedures that have "No Stipulation" are not used? Or should the CA be
required to use specific language to indicate that?
Is it OK for the CA to say "No Stipulation" in all of the sections
listed above?
What does "No Stipulation" mean in each of the sections listed above?
==
As always, I will greatly appreciate your thoughtful and constructive
input on this discussion.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
