Re: [Servercert-wg] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA

Tue, 14 May 2024 22:19:38 -0700 


On 15/5/2024 7:35 π.μ., Roman Fischer via Servercert-wg wrote:


Dear Aaron,


Interesting line of argumentation. Wouldn’t that conclude that -every- 
mis-issuance of a leaf certificate would be a violation of "all 
certificates that it issues MUST comply with one of the following 
certificate profiles" and thus would require the ICA to be revoked? 
That can’t be the intent of the regulation, right?




Roman,


TC non-TLS subCAs already have a defined certificate profile described 
in the BRs so there is no need to revoke such an ICA. I think you might 
be referring to non-TLS Subscriber Certificates issued by those TC 
non-TLS SubCAs?



Dimitris.


Rgds
Roman


*From:*Servercert-wg <[email protected]> *On Behalf 
Of *Aaron Gable via Servercert-wg

*Sent:* Dienstag, 14. Mai 2024 16:59

*To:* Dimitris Zacharopoulos (HARICA) <[email protected]>; CA/B Forum 
Server Certificate WG Public Discussion List <[email protected]>
*Subject:* Re: [Servercert-wg] Discussion about single-purpose client 
authentication leaf certificates issued from a server TLS Issuing CA



On Tue, May 14, 2024, 02:33 Dimitris Zacharopoulos (HARICA) via 
Servercert-wg <[email protected]> wrote:


    Is it ok for such an Issuing CA to create a single-purpose client
    authentication TLS Certificate, one that is structured according
    to RFC 5280 (thus can be successfully parsed by Relying Party RFC
    5280-conformant software), contains an extKeyUsage extension which
    contains the /id-kp-clientAuth/ and DOES NOT include the
    /id-kp-serverAuth/ KeyPurposeId?


Speaking in a personal capacity, it is my opinion that no, such 
issuance is not acceptable.



I agree that the resulting end-entity client-auth-only certificate is 
out of scope of the BRs, and is not in and of itself misissued. 
However, the issuing intermediate itself is still in scope of the BRs, 
and its behavior can be contained by them. By virtue of issuing the 
clientAuth cert, the issuing intermediate has violated the BRs 
requirement that "all certificates that it issues MUST comply with one 
of the following certificate profiles".



One could even argue that, having issued a certificate which does not 
comply with a BR profile, the issuing intermediate must be revoked 
within 7 days, per BRs Section 4.9.1.2 (5): "The Issuing CA SHALL 
revoke a Subordinate CA Certificate [if...] the Issuing CA is made 
aware that the... Subordinate CA has not complied with this document".


Aaron


_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg

_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg






















					Reply via email to