Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean up usage of the "Certificate Profile" Defined Term #526

Open
CBonnell opened this issue Jun 24, 2024 · 3 comments
Open

Clean up usage of the "Certificate Profile" Defined Term #526

CBonnell opened this issue Jun 24, 2024 · 3 comments
Labels
baseline-requirements Server Certificate CWG - Baseline Requirements

Comments

@CBonnell
Copy link
Member

The conversation for draft ballot SC-75 indicated that the BRs are not consistent in defining "Certificate Profile" vs. how it is used.

Namely, it is defined as a configuration or document that implements a profile for certificates that conform to section 7 of the TLS BRs. However, in several places, it is used to reference the profile requirements in section 7 themselves. The latter type of usage is inconsistent with the definition and should be corrected.
@github-actions GitHub Actions
Copy link

This issue was created based on:

  • TLS BR Version 2.0.5
  • EVG Version 2.0.1

@CBonnell CBonnell mentioned this issue Jun 24, 2024
Merged
@CBonnell CBonnell added the baseline-requirements Server Certificate CWG - Baseline Requirements label Jun 24, 2024
@timfromdigicert
Copy link
Contributor

Honestly, I actually think Section 7 does in fact have certificate profiles. After all, the title of 7.1 is "Certificate profile", and that section and title come directly from RFC 3647. But yes, it does make things horribly ambiguous. For example, the following is a valid sentence in my head:

"All of DigiCert's certificate profiles that allow the ServerAuth EKU also comply with the relevant certificate profile in section 7 of 'Baseline Requirements for I&M of publicly-trusted TLS Server Certficates'"

I think what people want is a distinction between the concept of "issuance profiles" which is some sort of policy or configuration information that describes what a particular CA does / does not issue, and the technical compliance requirements for all trusted CAs. They are of course closely related, but never the same, unless you buy the argument that it's ok to just copy Section 7 into your CPS, even if you don't do everything it describes. I know some CAs where arguing in Shanghai that that was ok, and whether it is is one of the things we'd have to address if we decide we want to distinguish between the actual issuance practices of a CA, as described by a profile, and the technical compliance requirements, as described by a profile.

So I think there's more subtlety in cleaning this up than the discussion in the other conversation considered.

@dzacharo
Copy link
Contributor

Notes from the 2024-12-19 SCWG Teleconference:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
baseline-requirements Server Certificate CWG - Baseline Requirements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CBonnell @dzacharo @timfromdigicert