On Mon, May 11, 2020 at 02:50:19PM +0000, Corey Bonnell via dev-security-policy wrote: > > * Are there rules that CAs must adhere to in regards to referencing the > > intermediate in the AIA field? Does it need to be available? Does it > > need to be there at all? > > It's optional (SHOULD-level), as Baseline Requirements 7.1.2.3 (c) [1] states: > It (AIA extension) SHOULD also contain the HTTP URL of the Issuing > CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2). > > I'd think it's a reasonable expectation/implicit requirement that if the > caIssuers field is present, the issuing CA cert should be generally > available on the global internet at the specified URL.
I read RFC5280 4.2.2.1 as *requiring* a URL in caIssuers to return the issuing CA cert. So a cert SHOULD have caIssuers, and if caIssuers is present and contains a HTTP URL that URL MUST return a DER-encoded cert (or "certs-only" CMS). The only corner case I can find is that if the URL returns a DER-encoded cert (etc), I can't see anything that explicitly requires that DER-encoded cert (etc) to be the issuing CA certificate. It's strongly implied by "the additional information lists certificates that were issued to the CA that issued the certificate containing this extension", but it's not as clear and obvious as the rest of the requirements (no "MUST" in there, for instance). I don't encourage anyone to try *making* that argument, though... > > * RfC 5280 says certificates should be served as > > "application/pkix-cert". Is it a violation of any rule if they are > > not? (application/x-x509-ca-cert is common, no content type and > > completely bogus content types linke text/html also happen.) > > Since this a SHOULD-level requirement, it's not prohibited to use other > content-types (although discouraged). I wonder if it's worth starting to require violations of SHOULDs be explained. After all, "SHOULD" indicates that > there may exist valid reasons in particular circumstances to ignore a > particular item, but the full implications must be understood and > carefully weighed before choosing a different course. (RFC2119, natch) As a result, if someone violates a SHOULD, then it is reaonable to assume that the violator can explain the thought processes that caused them to carefully understand and weigh the implications before rejecting the recommendation. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
