[Servercert-wg] Aligning the BRs with existing Browser Requirements
Ryan Sleevi
sleevi at google.com
Sat Oct 12 10:26:57 MST 2019
In order for Browsers to have reasonable confidence in CAs, it is important
to ensure that, when possible, browser requirements are enshrined within
the relevant audit criteria. This helps provide independent assurance that
things are fairly stated. The best way to do that is to ensure they're
captured within the Baseline Requirements, so those can inform the
development of the audit criteria.
In order to make it easier for CAs to meet Browser root program
requirements, it is useful to ensure those requirements are captured in the
Baseline Requirements, where possible. This helps highlight the importance
of the requirement, as well as provides the opportunity for feedback and
discussion with auditors during the design and implementation process.
To that end, I've tried to capture some of the existing root program
requirements that go "above and beyond" what the BRs require, but are
never-the-less root program requirements and required by all CAs trusted by
those root programs to follow, to help reduce the divergences.
https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment
contains changes to hopefully make it easier to migrate these Root Program
requirements to the BR, now that they've been successfully implemented by
nearly all CAs in this Forum and all CAs in those browser root programs.
I've based it on the current versions, which means there's some slight
interactions with SC23, the draft cleanup ballot, and Jos' formatting
ballot - so I can appreciate that it's not quite ready to kick off to
Ballot, but hopefully sufficient to start discussion now.
The requirements on Audit Report content are updated to align with the
requirements placed by Mozilla and Microsoft.
- Microsoft requires that the full hierarchy be documented (
https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements#b-the-scope-of-the-audit
)
- Mozilla requires that the intermediate(s) be documented (
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#314-public-audit-information
)
- Mozilla requires an English language report be made available (
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#314-public-audit-information
)
- This updates Section 8.6 to capture and combine these requirements.
The requirements on Audit Report delivery are updated to align with the
requirements placed by Microsoft.
- The (existing) BRs place a SHOULD requirement on 3 months between the
production of the Audit Report, in Section 8.6
- Microsoft places a MUST requirement (
https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements#d-the-time-period-between-the-assessment-and-the-auditors-attestation
)
- This updates Section 8.6 to reflect this.
- Note: This is particularly important for the oversight of
independently-operated Sub-CAs; the objective is to ensure that the Root CA
is receiving reports from the Subordinate, much like the Browser ensures
they receive timely reports from the Root. Just like a failure to provide
timely reports is a matter of non-compliance for Browsers, Roots should
treat a failure by their intermediates to provide timely reports as matters
of non-compliance.
The requirements on OCSP responses are updated to align with the
requirements placed by Microsoft.
- Microsoft places additional requirements on both the minimum and
maximum time for OCSP responses (
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#c-revocation-requirements
)
- This aligns 4.9.10 with Microsoft's requirements (This is also why the
conflict with both SC23 and the Cleanup ballot)
- Note: As with everything date-based, "math is hard". This attempts to
provide an unambiguous requirement to address issues like leap-seconds and
partial days. Feedback is most definitely welcome and needed here.
The requirements on certificatePolicies for Subscriber Certificates are
updated to align with the requirements placed by Microsoft.
- Microsoft places a requirement on Subscriber certificates (strangely
enough, in their Root Certificate section) that they MUST contain one of
the CA/Browser Forum reserved OIDs (
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#a-root-requirements
-
#15)
- This updates the BRs, 7.1.6.4, to capture this. Rather than
referencing EV from the BRs directly, this only places a requirement that
there MUST be one cabforum-defined OID here. This allows other
ServerCert-WG documents (like the BRs) to extend the BRs / layer on top,
without having to update the BRs and without having to make the EVGs
provide an *exception* to the BRs (exceptions are bad).
- If folks feel this approach is confusing, then I think the better
alternative would simply be to reference the EVGs from the BRs
(Specifically, Section 7.1.6.1), and allow that OID. I have language to do
this, so we can totally see how folks feel it is on being completely
unambiguous and completely unlikely to be exploited/exploitable.
The requirements on extendedKeyUsage for Subordinate CA Certificates are
updated to align with the requirements placed by Microsoft and Mozilla.
- The BRs currently leave extKeyUsage for sub-CAs as optional.
- Mozilla requires it for all newly issued (since 2019-01-01) sub-CAs
that are not also Cross Certificates (
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#53-intermediate-certificates
)
- Microsoft has required separation of intermediate since July 2016 for
all sub-CAs (
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#a-root-requirements
#11
)
- This attempts to update 7.1.2.2 (g) to reflect the intersection of
Mozilla and Microsoft.
- It tries to account for the following scenarios:
- Subordinate CAs that are Cross Certificates
- Subordinate CAs that are used to issue TLS
- Subordinate CAs that are used to issue not-TLS (e.g. S/MIME)
- Subordinate CAs that are used for OCSP Signing or Timestamping
- One challenge, that we've long known since our discussions in
governance, is different WGs potentially placing conflicting requirements
on the same set of certificates. We've long discussed the presumed method
of de-conflicting those situations - by ensuring only certificates
containing the EKU relevant to the Chartered WG are in scope - but we know
that's a large effort. I've attempted to thread that needle carefully, but
if folks are concerned with the "For Subordinate CA Certificates that are
not used to issue TLS certificates" paragraph, then I can tackle the
clarity differently, by modifying Section 1.1 on scoping.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191012/491a2851/attachment-0001.html>
More information about the Servercert-wg
mailing list