RE: 7.1.6.1 Reserved Certificate Policy Identifiers

2020-05-14 Thread Doug Beattie via dev-security-policy 
Yes, I should have asked this on the CABF list, and you answered my question 
with the links below.  Thanks!

 

From: Ryan Sleevi  
Sent: Thursday, May 14, 2020 8:57 AM
To: Doug Beattie 
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: 7.1.6.1 Reserved Certificate Policy Identifiers

 

Did you mean to ask this on the CABF list?

 

This is 

https://github.com/cabforum/documents/issues/179 which I was going to try to 
fix in 

https://github.com/sleevi/cabforum-docs/pull/12 (aka “spring” cleanup that is 
seeking endorsers)

 

The discussion thread is 

https://cabforum.org/pipermail/validation/2020-May/001469.html



smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: 7.1.6.1 Reserved Certificate Policy Identifiers

2020-05-14 Thread Ryan Sleevi via dev-security-policy 
Did you mean to ask this on the CABF list?

This is
https://github.com/cabforum/documents/issues/179 which I was going to try
to fix in
https://github.com/sleevi/cabforum-docs/pull/12 (aka “spring” cleanup that
is seeking endorsers)

The discussion thread is
https://cabforum.org/pipermail/validation/2020-May/001469.html
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

7.1.6.1 Reserved Certificate Policy Identifiers

2020-05-14 Thread Doug Beattie via dev-security-policy 
I have a question about section, 7.1.6.1.  It says:

This section describes the content requirements for the Root CA, Subordinate
CA, and Subscriber Certificates, as they relate to the identification of
Certificate Policy.

 

For Subscriber certificates I totally understand and agree with section
7.1.6.1, and specifically:

 

If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it
MUST NOT include organizationName, .

and

If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it
MUST also include organizationName,.

 

This means you can have one or the other, but never both in one certificate.


 

But, if a Root and a subordinate MUST have an Organizational name, then
there is no way it could ever have the DV policy OID (2.23.140.1.2.1) and
comply with that requirement.

 

The scope of this section should be for Subscriber Certificates only.  Can
we agree that was a bug?

 

Section 7.1.6.3 goes on to say that a CA "MAY include the CA/Browser Forum
reserved identifiers . to indicate the Subordinate CA's compliance with
these Requirements " which further implies that CA certificates can contain
CABF Policy identifiers (there are 6 defined CABF OIDs,
https://cabforum.org/object-registry/)

 

Doug



smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy