[cabf_validation] Subject DN attributes in ICA certificates
Ryan Sleevi
sleevi at google.com
Wed Jun 10 06:35:13 MST 2020
On Wed, Jun 10, 2020 at 8:38 AM Doug Beattie <doug.beattie at globalsign.com>
wrote:
> Ryan, Tim and group,
>
>
>
> I was looking at the CA Certificate Profile page yesterday and had a
> couple of questions.
>
>
>
> 1. For ICAs, the BR lists 3 subject DN attributes and remains silent
> on the remaining. We see lots of CAs including other attributes
> (State/Prov, Locality, etc.) and it’s not clear if this is a violation of
> the BRs or not (default deny discussion…). Even after a long thread [1],
> we didn’t come to a consensus. I don’t want to open that can of worms
> here, but the question is, as we update this section with the intent of not
> making material changes, what DN fields do we say are permitted? Currently
> the page says Optional in the optional/required column but says prohibited
> further to the right (along with a reference to the DN tab for validation
> rules which implies it’s permitted). Does this update intend to clarify
> what’s permitted and the associated validation rules? Do we need a ballot
> prior to this Profile ballot to define permitted attributes and to specify
> the validation rules?
>
> Yes, we need a ballot to resolve this.
>
> 1.
> 2. Related to this, the definition of Org is currently: “This field
> MUST be present and the contents MUST contain either the Subject CA’s name
> or DBA as verified under Section 3.2.2.2”. I could not find a definition
> of “Subject CA’s Name” to know what exactly that means. A number of CAs,
> GlobalSign included, issue “Vanity” CAs. Those are CA certificates in the
> name of a 3rd party and run by the CA identified in the Certificate
> Policy CPS link. As we clarify the validation rules for fields in CA
> certificates, we should be clear on what we mean by “Subject CA’s name” and
> how these attributes are validated. This was discussed in 2017 as part of
> Ballot 199. Gerv said it was permitted [2], and Ben said [3] this was part
> of the Policy WG discussion about “CA” and “CA Operator”, which I don’t
> think was ever reflected in the BRs.
>
> That seems to be confusing CN with O name. You seem to be discussing a
different field than Gerv, have I confused anything?
>
> 1.
>
> We should come to conclusion on both of these as part of clarifying the
> certificate profiles and attribute validation rules. Do we need a ballot
> on these before we can finalize the certificate profiles?
>
>
>
> Ryan – I believe you created a list of all subject Attributes you found in
> CAs at some point. Is that the starting point we wanted to use as the
> “whitelist” of attributes as we clarify what is permitted?
>
Yes, and I circulated it multiple times for feedback. It was the process of
preparing a Ballot that revealed the systemic issues that we're now
discussing with profiles, in order to resolve matters like how you
highlight. I just didn't expect we'd be spending so long on profiles.
>
>
> [1]
> https://lists.cabforum.org/pipermail/servercert-wg/2019-October/001154.html
>
> [2] https://lists.cabforum.org/pipermail/public/2017-May/010928.html
>
> [3] https://lists.cabforum.org/pipermail/public/2017-May/010936.html
>
>
>
>
>
> Doug
>
>
>
> *From:* Validation <validation-bounces at cabforum.org> *On Behalf Of *Ryan
> Sleevi via Validation
> *Sent:* Thursday, June 4, 2020 5:50 PM
> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] Sub-CAs and CP policy OIDs
>
>
>
>
>
>
>
> On Tue, May 12, 2020 at 4:09 PM Ryan Sleevi <sleevi at google.com> wrote:
>
> I had an issue flagged by a CA and went and filed
> https://github.com/cabforum/documents/issues/179 to try to capture the
> issue
>
>
>
> The TL:DR: is how to handle a sub-CA that wishes to use the CABF OIDs
> within their end-entity certificates, but is not Affiliated with the Root.
>
>
>
> Bumping this, and hoping to get some feedback from other root programs as
> to whether or not they see it as an issue with the BRs, and whether the
> attempted solution ( https://github.com/sleevi/cabforum-docs/pull/21 ) is
> aligning in the right direction. As it is, it raises questions about
> whether some Sub-CAs are in compliance, and creates challenges for issuing
> new Sub-CAs, so I want to make sure we're moving in the right direction and
> giving CAs the clarity they need from Root Programs.
>
>
>
> Separate from that more immediate issue, I'm also starting to wonder
> whether, longer-term, we should restructure how we handle these policy
> OIDs, to make it easier for Relying Party software to use
> certificatePolicies for verification, rather than the (implemented by
> Google/Mozilla/Microsoft) EKU chaining behaviour. This would likely help
> resolve some of the issues around separate trust frameworks, by more
> clearly asserting the trust framework (or frameworks) a certificate belongs
> to. That's not something we need to immediately tackle, as we can still
> smoothly transition later, but the way our current requirements are
> structured, which this PR tries to preserve, prevents that.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200610/7a92ccb1/attachment-0001.html>
More information about the Validation
mailing list