[cabf_validation] Profiles: cPSuri for Cross-certificates

Tim Hollebeek tim.hollebeek at digicert.com
Wed Jul 13 20:59:06 UTC 2022

I’m trying to think of whether a permissive update that allowed either the traditional way or your proposed new way would be harmful.  Because that would avoid the complications of “changing” the requirement.

I’ve been thinking through what might go wrong for a bit, and nothing is coming to mind.  It would merely allow a CA to point to the right CPS, instead of arguably the wrong CPS.  There’s the potential for some confusion during the transition period, but that doesn’t seem to be a good argument for continuing to uniformly do it wrong.


From: Validation <validation-bounces at cabforum.org> On Behalf Of Wayne Thayer via Validation
Sent: Wednesday, May 18, 2022 6:20 PM
To: CABforum3 <validation at cabforum.org>
Subject: [cabf_validation] Profiles: cPSuri for Cross-certificates

While reviewing the draft certificate profiles ballot<https://github.com/sleevi/cabforum-docs/pull/36>, I noticed that section "Cross-Certified Subordinate CA Extensions" references section<https://github.com/sleevi/cabforum-docs/blob/profiles/docs/BR.md#712105-certificate-policies> for the certificatePolicies extension. This section states that the id-qt-cps (cPSuri) policy qualifier must contain:

"The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA."

This means that the CPS link in an externally operated cross-certificate must (if present) point to the root CA's policies. I think that the cPSuri should reference the policies under which the CA certificate is operated rather than the policies of the issuing CA.

I asked Ryan about this and he correctly pointed out<https://github.com/sleevi/cabforum-docs/pull/36#pullrequestreview-965169715> that while the language is different, the same requirement exists in the current version of the BRs.

This is a minor issue in the grand scheme of things, but I'd like to suggest that we consider changing the requirement, or at least add some additional language to call out the non-intuitive nature of the existing requirement.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220713/4394e77f/attachment-0001.html>

More information about the Validation mailing list