[cabfpub] Naming rules

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Mar 9 22:48:05 UTC 2017


Jeremy - not sure I understand your message, but if you saw Jeff Ward's email, it appears a CA that properly uses BR 9.16.3 will receive an unqualified WebTrust report (with disclosures) and not a qualified report.  

-----Original Message-----
From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Thursday, March 9, 2017 2:33 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Peter Bowen <pzb at amzn.com>
Subject: RE: [cabfpub] Naming rules

Right - the Microsoft root program requires a WebTrust seal for inclusion according to the agreement. Therefore, the best path forward is one that does not require a qualified audit as it precludes a WebTrust seal. This is a good way to satisfy both concerns, permitting a WebTrust seal while still giving notice that there is a conflict between national law and the BRs.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Sunday, March 5, 2017 7:38 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Peter Bowen <pzb at amzn.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Naming rules

Kirk,

I’m afraid you misunderstood a portion of my suggestion.  There is nothing here about BR 9.16.3.  This is a suggestion of taking a coordinated intentional audit qualification, which _will_ result in not receiving a WebTrust seal.   Depending on the definition of “successful”, it very well may not be a successful audit.

If the objective is to allow the Government Certification Authority operated by Chunghwa Telecom to receive a WebTrust seal and to allow them to use their existing names in their DIT for Subject Names,  then the criteria for WebTrust must be updated in such a way to allow the name forms as-is.  This inherently does mean changing the BRs, as I understand it.

Thanks,
Peter

> On Mar 5, 2017, at 2:18 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
> 
> +1.  Seems like a good resolution to me - full disclosure to users and browsers, deference to local law where applicable as provided in BR 9.16.3 (local users are probably already used to any local customs on naming rules), and avoids the need for the Forum to try to understand and approve/disapprove local naming rules one by one.  Allows auditors to complete successful audits with disclosure, and the trust list maintainers receive notice and can make their own decisions.
> 
> -----Original Message-----
> From: Peter Bowen [mailto:pzb at amzn.com] 
> Sent: Sunday, March 5, 2017 12:06 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
> Subject: Re: [cabfpub] Naming rules
> 
> To wrap us discussion of this issue and provide a way for Chunghwa Telecom to proceed, I believe Chunghwa Telecom (and any other CA in a similar situation) should do the following:
> 
> 1)      Ensure that their CPS otherwise meets the BRs
> 2)      Add a clear callout in the CPS that the Names in certificates (usually in section 3.1) don’t comply with the BRs
> 3)      Ensure that the CPS clearly defines the rules for names (so the auditor can confirm that the issued certificates meet the rules)
> 4)      Discuss this with each organization that requires following the BRs as part of accepting roots to their trust list	
> 5)      Add something like “during the period XX to YY, Chunghwa Telecom […] based on the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security v2.0 except Subject Information in certificates issued did meet the minimum requirements for Certificate Content and profile.” to their management assertion.  This could be followed up with a sentence similar to “Instead, Subject Information conformed to ZZZZ” (whatever regulation is appropriate)
> 6)      Then the auditor will include a very similar sentence in their opinion letter.
> 
> This will not require any changes to the BRs or any further action by the Forum.  Neither the Forum nor the WebTrust task force mandates following the BRs.  It is to each trust list maintainer as to whether they want include a CA who uses alternative naming rules.
> 
> If others agree, I don’t think the Forum or the validation WG needs to consider this issue further.
> 
> Thanks,
> Peter
> 
>> On Mar 4, 2017, at 5:55 PM, Kirk Hall via Public <public at cabforum.org> wrote:
>> 
>> Great explanation, Peter - thanks.
>> 
>> 
>> 
>> Gerv - maybe the BR rules came from X520?  file:///C:/Users/khall/Downloads/T-REC-X.520-201610-I!!PDF-E.pdf
>> 
>> 
>> 
>> We may already have a solution that does not require any further action by the CABF.  BR 9.16.3 shown below allows a CA to modify any BR requirement  that conflicts with local law by (1) giving a statement and explanation in Sec. 9.16.3 of its CPS, and (2) sending a message to the CABF questions@ list with the same information. 
>> 
>> 
>> 
>> It seems that section would apply where a national government requires a CA to use Subject Names from a Directory Information Tree operated by the national government, and that Tree conflicts with the BR naming rules.  Does anyone disagree?
>> 
>> 
>> 
>> Li-Chun -- can you solve your problem simply by following the rules in BR 9.16.3?
>> 
>> 
>> 
>> 9.16.3. Severability
>> 
>> 
>> 
>> In the event of a conflict between these Requirements and a law, regulation or government order (hereinafter 'Law') of any jurisdiction in which a CA operates or issues certificates, a CA MAY modify any conflicting requirement to the minimum extent necessary to make the requirement valid and legal in the jurisdiction. This applies only to operations or certificate issuances that are subject to that Law. In such event, the CA SHALL immediately (and prior to issuing a certificate under the modified requirement) include in Section 9.16.3 of the CA’s CPS a detailed reference to the Law requiring a modification of these Requirements under this section, and the specific modification to these Requirements implemented by the CA.
>> 
>> 
>> 
>> The CA MUST also (prior to issuing a certificate under the modified requirement) notify the CA/Browser Forum of the relevant information newly added to its CPS by sending a message to questions at cabforum.org and receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at https://cabforum.org/pipermail/public/ (or such other email addresses and links as the Forum may designate), so that the CA/Browser Forum may consider possible revisions to these Requirements accordingly.
>> 
>> 
>> 
>> -----Original Message-----
>> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
>> Sent: Thursday, March 2, 2017 7:29 PM
>> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
>> Cc: Peter Bowen <pzb at amzn.com>
>> Subject: [cabfpub] Naming rules
>> 
>> 
>> 
>> We have had a number of discussions over the last few months about the content of Subject Names in Certificates.  I promised on a recent call to try to summarize one of the issues, including the issue that Li-Chun has raised.
>> 
>> 
>> 
>> The Baseline Requirements specify how Names are to be constructed.  There are rules about which attributes must appear in names and what the content of the attributes must be.
>> 
>> 
>> 
>> There are other existing PKIs with different naming rules.  Another PKI could forbid an attribute required by the BRs.  Alternatively another PKI could require that the full Name be taken verbatim from some other source, such as an existing Directory Information Tree; these Names many not include attributes required by the BRs.
>> 
>> 
>> 
>> I believe the government on Taiwan falls into the latter case.  They have a PKI which has the policy that names must be taken from an existing Directory Information Tree operated by the government.  Many of the Names in the existing DIT don’t include attributes that are required by the BRs.  Therefore the question is whether we should make an exception to allow this existing PKI to be declared BR-compliant by adding some language like “ If a Government CA is required by its Certificate Policy to use Subject Names from a Directory Information Tree operated by a Government Entity, then section 7.1.4.2.2 shall not apply.”
>> 
>> 
>> 
>> Li-Chun: Did I get this right?
>> 
>> 
>> 
>> Others: Does this make the issue clearer?
>> 
>> 
>> 
>> Thanks,
>> 
>> Peter
>> 
>> _______________________________________________
>> 
>> Public mailing list
>> 
>> Public at cabforum.org
>> 
>> https://cabforum.org/mailman/listinfo/public
>> 
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> 

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list