The BRs came into effect on July 1, 2012. This year we have the fifth
anniversary of the BRs, and we have an opportunity to help provide high
assurance of website identities using certificates. Given the new Website
Identity initiative (https://casecurity.org/identity/) announced at RSAC last
week
(https://www.rsaconference.com/videos/100-encrypted-web-new-challenges-for-tls),
it is clear others are thinking similarily.
In a discussion with Kirk today, I mentioned that one of the challenges with
recognition of OV certificates is the existence of certificates with OV/IV info
which are not covered by the BRs, either due to issuance date or missing data
in the certificate. It is very hard for browsers to detect whether a
certificate is a legitimate OV/IV certificate or not given the existence of
these certificates. In order to help assure trust in website identity, Kirk
suggested that we set a sunset date for certificates with identity that are not
clearly covered in the BRs.
I think the sunset date should be July 1, 2017, which is five years from the BR
effective date. On this date, all CAs much revoke unexpired certificates that
meet the following criteria:
- Contain at least one attribute of type organizationName {2 5 4 10}, givenName
{2 5 4 42}, or surName {2 5 4 4} in the Subject Name, and
- Is not self-signed certificate, as defined in X.509, and does not have cA set
to true in the basic constraints extension (this avoids revoking CA
certificates), and
- Any of the following are true:
- Is not a valid Certificate as defined by X.509
- Was issued before 2012-07-01T00:00:00Z and includes an extended key usage
extension that contains the id-kp-serverAuth {1 3 6 1 5 5 7 3 1} or
anyExtendedKeyUsage {2 5 29 37 0} key purpose
- Does not include an extended key usage extension but does include a key
usage extension with digitalSignature
- Does not include an extended key usage extension but does include a key
usage extension with keyEncipherment and has a RSA subject public key
By revoking these certificates, we can assure that all un-revoked certificates
used for website identity authentication that have identity information were
vetted according to the BRs.
I want to thank Kirk for suggesting revocation of these as the solution to help
assure relying parties of website identities.
Do others agree that this path makes sense in order to provide high assurance
of website identity?
Thanks,
Peter
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
