[cabfpub] Misissuance of certificates

Ryan Sleevi sleevi at google.com
Wed Jan 20 20:51:43 UTC 2016 

On Wed, Jan 20, 2016 at 11:57 AM, Peter Bowen <pzb at amzn.com> wrote:

> What would you think about defining a new term, “Compliance Date”?
>
> Compliance Date: The Compliance Date of a certificate is the earlier of
> the notBefore field or when the CA signs the certificate
>
> Then it can be used to make it very clear:
>
> These Requirements *apply to all Certificates with a Compliance Date of
> or after February 15, 2013 that include id_kp_serverAuth
> (1.3.6.1.5.5.7.3.1) in the extended key usage extension. Additionally,
> these Requirements apply to all Certificates **with a Compliance Date of
> or after June 30, 2016 **that either do not include the extended key
> usage extension or include anyExtendedKeyUsage (2.5.29.37.0) in the
> extended key usage extension.*
>

This seems to weaken Jeremy's proposal - but perhaps it's merely bringing
clarity to what was already a weak proposal.

That is, it leaves an unknown portion of non-BR certificates out there for
an unknown number of years (since, by being non-BR, we cannot presume that
the certificates themselves will expire within the 39 months prescribed by
the BRs, nor the 60 months previously allowed)

The problem with the Web PKI is determining what the known-knowns are, but
also trying to map out the unknown-unknowns - there's a vast portion of
'hidden' certificates which do not comply to the BRs, but were issued by BR
conforming roots. The past two years of Mozilla's CA communications
demonstrate Mozilla's own attempts to map out the scope and impact of such
certificates - even when the requirements were much clearer.

If we adopt a position of "go forward" of June 30, 2016 being when anything
in scope (and there may still be some wording tweaks needed here to clarify
that issuance from a CA that has the EKUs but leaves that do not have EKUs,
the leaf is _still in scope_), I think we should also look at an
internal-server-name like "revoke-or-disclose" sunset clause.

The end goal being that, for roots and intermediates that conform to the
BRs, the entire population of certificates - and the requirements that they
were expected to abide by - can be known.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160120/a8d1d62b/attachment-0003.html>

More information about the Public mailing list