On Friday, June 14, 2024 at 6:54:03 PM UTC+1 Aaron Gable wrote:
On Fri, Jun 14, 2024 at 9:44 AM Wayne <[email protected]> wrote: The CP and CPS mentioned in RFC 3647 at some point got flipped by some CAs and are being used in the opposite interpretation than RFC 3647 states. Originally one was the summary (CP), one was the details (CPS), and which is which now depends on the CA. I don't think this divergence *should *matter in reading each CA's documents in isolation, but it is interesting historically and is an indication of how deeply CAs read the RFCs. I don't think I agree with the interpretation that a CP was a "summary" and a CPS was the "details" -- RFC 3647 clearly draws the line differently, saying that the CP is the *what*, while the CPS is the *how*. For example, a CP (like the BRs) might say "you MUST NOT sign using RSASSA-PKCS1-v1_5 with SHA-1", while a CPS might say "we sign only using sha256WithRSAEncryption". Again, the CP is supposed to be prescriptive, while the CPS is supposed to be descriptive. Ah we are thinking the same thing we're just using different words. I agree with your interpretation for what it is worth. For those who haven't read RFC 3647 here's the relevant portion from: https://datatracker.ietf.org/doc/html/rfc3647#section-3.5 >The main differences between CPs and CPSs can therefore be summarized as follows: > >(a) A PKI uses a CP to establish requirements that state what participants within it must do. A single CA or organization can use a CPS to disclose how it meets the requirements of a CP or how it implements its practices and controls. > >(b) A CP facilitates interoperation through cross-certification, unilateral certification, or other means. Therefore, it is intended to cover multiple CAs. By contrast, a CPS is a statement of a single CA or organization. Its purpose is not to facilitate interoperation (since doing so is the function of a CP). > >(c) A CPS is generally more detailed than a CP and specifies how the CA meets the requirements specified in the one or more CPs under which it issues certificates. It is from that part of the RFC that my terms come from. I looked into this over a month ago given how odd it seemed that the WebPKI space used policy differently than other regulated environments. In other places you'd have policy (the descriptive element, or as I call it a summary) -> procedures (how things will actually be implemented, as I call it the details) in a similar vein, therefore the policy part never quite made sense before I saw the RFC. - Wayne -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/81f495e1-7373-46af-828a-204955d5e100n%40mozilla.org.
