Profiles WIP #36
Profiles WIP #36
Conversation
docs/BR.md
Outdated
| * Each `RelativeDistinguishedName` MUST contain exactly one `AttributeTypeAndValue`. | ||
| * Each `RelativeDistinguishedName`, if present, is encoded within the `RDNSequence` in the order that it appears in [Section 7.1.4.2](#7142-subject-attribute-encoding). | ||
| * For example, a `RelativeDistinguishedName` that contains a `countryName` `AttributeTypeAndValue` pair MUST be encoded within the `RDNSequence` before a `RelativeDistinguishedName` that contains a `stateOrProvinceName` `AttributeTypeAndValue`. | ||
| * Except where explicitly specified, each `Name` MUST NOT contain more than one instance of a given `AttributeTypeAndValue` across all `RelativeDistinguishedName`s. |
There was a problem hiding this comment.
Currently there are no fields that explicitly specify that more instances are allowed. I think we should consider allowing multiple instances for:
organizationalUnitName(although the goal is to ultimately deprecate)givenName(Subscribers with multiple given names that possibly exceed the 16 characters limit)surname(Subscribers with multiple surnames that possibly exceed the 40 characters limit).
It's also possible that streetAddress is also used with multiple instances but that remains to be confirmed.
There was a problem hiding this comment.
If there are no upper-bound restrictions for givenName, surname, it should be fine to have only one instance allowed.
There was a problem hiding this comment.
I definitely disagree with the premise of multiple OUs :) streetAddress is one that was discussed with Tim a little, but I'm not sold, for the same reason we should be looking at OU deprecation.
I'll crunch CT data to see if/how many CAs used multiple instances of different fields.
There was a problem hiding this comment.
There was a problem hiding this comment.
@CBonnell The issue with that Censys query is that trust bits have been borked for a hot minute, and don't consider both distrusts and new trusts. crt.sh is a quite a bit more accurate here :)
There was a problem hiding this comment.
GRID certificates include multiple DC attributes, so that use case would be impacted by this requirement.
There was a problem hiding this comment.
@CBonnell Do you have instances of publicly trusted GRID certificates?
There was a problem hiding this comment.
Only a few CAs issue them, but it is a use case that would be affected.
There was a problem hiding this comment.
Thanks for that. I seem to recall a CA incident around this, but would need to dig in; I believe at one point this was explicitly called out as prohibited, but perhaps something got lost in a refactor. It also seems questionable under some of the BR blanket prohibitions re: domains in subject names (and misleading information).
Still, phasing from multiple to singular could be done with a phase-in to avoid any issue and provide clarity for these other fields, separate from any possible incident-related revocation for these GRID certs
There was a problem hiding this comment.
We only recently became aware of this discussion, so our apologies for possible chiming in later than usual. The Grid community is not directly represented in these discussions, usually relying on our partners in the Forum (over time we work and have worked with many, such as DigiCert and Sectigo, earlier also with GlobalSign and the former Comodo), so the “GRID” may appear remote and distant. I will try to close that gap a bit, since what is “GRID” here, is in fact a shorthand for the global research and education authentication community that uses PKIX for web-based research infrastructures. This includes e.g. CERN’s Large Hadron Collider, many US and European supercomputing centres, life science and health research, astronomy, &c - and their globally distributed web (storage) services accessed both via browsers as well as via automated transfer services. In addition, next to its server PKI deployment that is relevant here it includes a global end-user client PKI than allows researchers to authenticate.
Over almost two decades, the research and education collaborations, such as TERENA (now GEANT) for all European research and education networks, and InCommon in the US, have worked with their partners here to create a secure and tightly controlled ecosystem providing name uniqueness, adherence to standards (and providing some security and authentication innovations thereof along the way). We, as the global non-profit research community, are very supportive of a secure and trusted ecosystem for WebPKI, also by ensuring that browser-based access and service-agents can work together to secure the ecosystem in a comprehensive way.
The use of domainComponents in the subjectName is a core elements since it provides uniqueness of subject naming through (verified domain name owner-authorized) namespace slicing. This allows the browser users to validate the server, but at the same time is used e.g. for service-agent based authentication. Since these will by necessity use the very same end-points, it is important that the server certificates used have both WebPKI browser trust for human users as well as the uniqueness properties necessary for agent-based access.
The specific global uniqueness of the subject DN and having these certificates trusted for WebPKI is critical for securing connection to services that are access by both browsers as well as automated agents. Such as storage services: end-users can retrieves files via their browser, but automated large-scale research transfer services connect to the endpoints to do data placement (e.g. for CERN’s worldwide Large Hadron Collider Computing Grid) and must authenticate the endpoints based on their certificate subject name. To identify the endpoints, unique naming is necessary, which is what – for TCS and InCommon - the subject DN domainComponents supplies.
But, by design and semantics, domainComponent should appear multiple times. RFC 2247 is quite clear: “The value of this attribute is a string holding one component of a domain name.” So, given that a domain name usually consists of multiple components, also domainComponent should have multiple occurrences. With the domain name system being hierarchical, the ASN.1 thus has to be a sequence (of sets of unitary length) of this attribute.
The inclusion of domainComponent, in the way that it is worded today, was definitely not accidental or a refactoring anomaly. Our community worked together with several members, specifically DigiCert and Comodo (around ~2011), to align the BR text with these joint WebPKI security requirements. And ensure that domainComponent, and its standardized semantics, were included consistently in BR. The result was reconfirmed in Ballot 102 (https://cabforum.org/2013/05/31/ballot-102-br-9-2-3-domaincomponent/).
We therefore hereby reconfirm the existing current and continuing case for domainComponent, in line with the purpose as included in BR and in Ballot 102.
The use of domainComponents, as may be observed from Censys, identifies the long-term domain name from, and authorized explicitly by, the domain name owner, e.g. the Trans-European Research and Education Networking Association TERENA – terena.org, now GEANT; or the InCommon federation – incommon.org, providing certificates for the US research and education community (even if our issuing partners change). Intentionally, for security reasons certificate validity periods have always been rather short (the community had settled on max 400 days since its conception in 2001), but the subject names themselves are much longer lived: many of the research use cases is easily 30+ years. DomainComponents are the most appropriate attribute to carry the uniqueness information.
We note by the way that the rendering by Censys.io is not what is actually in the certificate subject names, since there is a bug in Censys that duplicates the sequence of domainComponents in the string rendering. It is in fact of course “[…non-DC-attributes…], dc=tcs, dc=terena, dc=org” (in RFC2253 ordering). Crt.sh shows it correctly (e.g. https://crt.sh/?id=5460913588).
Unique certificate subject naming, when used in combination with relying-party defined namespace constraints, also permits mutual authentication between endpoints. Admittedly, this is beyond the browser use case today, but the concept provides some supplementary protections by moving the source of authority for NameConstraints to the relying party, as discussed in GFD-I.189 (https://www.ogf.org/documents/GFD.189.pdf). Even in browsing scenarios this adds some security (admittedly only slightly) for text-browser-based access by end-users to the web services, since there global name uniqueness can be verified in appropriate clients.
Without the availability of (RFC standards-compliant) domainComponents, subject distinguished names will no longer be distinguishable …
docs/BR.md
Outdated
|
|
||
| ### 7.1.5 Name constraints | ||
| | __Attribute__ | __OID__ | __Specification__ | __Encoding Requirements__ | __Max Length[^maxlength]__ | |
There was a problem hiding this comment.
Should this table contain a column for explicitly allowing multiple instances of the same attribute?
There was a problem hiding this comment.
So, I had the draft language until folks could discuss further which and whether we allow multiple instances. You'll recall I raised it two calls ago, but there was no discussion on the list about that. I still think the right answer is no multiple instances, but I held off adding the column until we decided one way or the other (for the interim).
There was a problem hiding this comment.
I believe your answer in #36 (comment) clears the givenName, surname need for multiple instances :)
With the OU deprecation planned ahead, multiple OU fields would only be used until full deprecation.
sleevi
force-pushed
the
profiles
branch
2 times, most recently
from
c41662b to
2932714
Compare
docs/BR.md
Outdated
|
|
||
| | __Key Purpose__ | __OID__ | __Presence__ | | ||
| | ---- | ---- | - | | ||
| | `id-kp-serverAuth` | 1.3.6.1.5.5.7.3.1 | MUST | |
There was a problem hiding this comment.
An explicit requirement to say serverAuth is required is new and I totally understand the discussions that if you want client auth only you should/must not use the webPKI for that. Given this might be perceived as a change and impact some customers, should we assign a specific effective date for this (and other changes) so we can ballot the profiles work and make the spec immediately effective, but have specific dates for the items that need them?
There was a problem hiding this comment.
Could you describe a little more what you believe would be impacted? Perhaps an example crt.sh link?
I don't think your proposed fix is correct: a certificate with id-kp-clientAuth only is not one that should be issued for server auth, and the transition is only going to muddy those waters. I'm open to explicitly having a certificate profile for this, but I think it'd be useful if you could provide an example cert or certs to understand what this looks like today.
There was a problem hiding this comment.
Just following up on this @dougbeattie - You seemed OK on our most recent call, but did want to touch base to make sure before closing this out as resolved.
AIA allows multiple methods, and multiple instances of each method. However, client implementations use the ordering to indicate priority, as per RFC 5280, so clarify the requirements for multiple AccessDescriptions with the same accessMethod.
Rather than make basicConstraints MUST, make it a MAY, to allow omission (plus v3) or presence (but empty) to indicate that it is not a CA certificate.
As captured on https://archive.cabforum.org/pipermail/validation/2021-July/001675.html provide better guidance for the encoding of cRLDistributionPoints and the permitted protocols.
docs/BR.md
Outdated
| | `certificatePolicies` | | | | ||
| | \ \ **1** | MUST | The first `PolicyInformation` present in the `certificatePolicies`. | | ||
| | \ \ \ \ `policyIdentifier` | | A Reserved Certificate Policy Identifier (see [Section 7.1.6.1](#7161-reserved-certificate-policy-identifiers)). | | ||
| | \ \ \ \ `policyQualifiers` | SHOULD NOT | See below for restrictions on `policyQualifiers` | |
There was a problem hiding this comment.
The first Certificate Policies entry for non-affiliated CAs (7.1.2.10.4) says "MUST NOT" where this is "SHOULD NOT". Is there a reason for the difference? If the intention is to not include a policyQualifier for reserved policy identifiers, should this also be a "MUST NOT"?
There was a problem hiding this comment.
Thanks for flagging!
Under the existing BRs, the language in 7.1.2.2 states:
The following fields MAY be present if the Subordinate CA is not an Affiliate of the
entity that controls the Root CA
The key being "is not an Affiliate of the entity that controls the Root CA"
Logically, if we read this as written, then it means that if the Subordinate CA is an Affiliate, then those fields MUST NOT be present, because they are only permitted under certain situations.
So the intent here was to transcribe the existing requirement.
There was a problem hiding this comment.
@chrisbn Did this answer address your concern?
While RFC 2119 establishes that these two phrases are semantically equivalent, it's been suggested that this may resolve some anxiety around misinterpretations of SHOULD NOT as SHALL NOT, particularly by auditors. By changing this to NOT RECOMMENDED, the same guidance is preserved, but it hopefully makes it more palatable to CAs. See https://github.com/sleevi/cabforum-docs/pull/36/files#r856429830 for related discussion.
This restructures the naming rules to try to clarify: - That technically constrained non-TLS sub-CAs are in-scope, but the certificates they issue are not - That the rules about byte-for-byte apply for all certificates in scope - That the requirements for the ordering and sequencing of names is a forward-dated requirement. Although it can be argued that some of these are existing requirements, avoid any messiness by structuring it holistically. - Adds a note to 7.1.4 to call out that 7.1.2.2.1 provides an exception - State the exception in 7.1.2.2.1 both normatively and informatively, to try and avoid misinterpretation. This was based on Corey's feedback in https://github.com/sleevi/cabforum-docs/pull/36/files#r689880007
This removes the (buggy) description of DNS SRV and leaves it overall as a SHOULD NOT and in scope of the (existing) 7.1.4.2 requirements. It also fixes up a typo (extension OID -> type-id)
Originally it was part of the common fields, when there were multiple variations of non-TLS CAs. However, as there is only a single reference to this section, fold it in to the non-TLS profile. This hopefully makes it clearer about the EKU requirements for non-TLS CAs (being what defines something as non-TLS), and reduces some confusion around non-TLS and TLS common sections.
The existing language was buggy, in that a link target was updated, but not the section heading. However, it was further buggy due to the interactions between Affiliated and Non-Affiliated CAs. This overhauls it in line with the November and F2F discussions; unlike many of the other extensions in this section (which are dictated by RFC 5280 as being mandatory for certain situations), certificatePolicies is not, so this is demoted to a MAY. However, the language from RFC 5280 does set out some guidance - such as not recommending that a policyQualifier be present - and so that requirement is preserved, under the argument that a non-TLS CA should still align with RFC 5280 if issued under a BR CA. This does *remove* an existing BR requirement, namely those inherited from Section 7.1.6.3, but since that seemed to align with the intent of the SCWG, this should be a positive change.
This makes the requirement for the Reserved Policy Identifier to be the first policyIdentifier optional, while explaining with a note the basis for that logic. To avoid confusion, it makes it clear that only one instance of a Reserved Policy Identifier may be present (e.g. can't be simultaneously OV and EV)
This incorporates Corey's 04c55a4
The approach to SKI uniqueness was flagged as ambigous, and two options were presented: - Option 1, mandate the SKI generation algorithm - Option 2, clarify that it's only unique "for the CA" Option 2 still has security risks with respect to denial of service, but CAs were unsure about when Option 1 would b eimplementable (e.g. if mandating SHA-2, CA software that uses SHA-1 would need to be updated). For now, this goes with Option 2, although a mandatory algorithm would resolve the issues wholesale. This is adapted from Corey Bonnell's 41cb306
This adopts a 48 hour window, as proposed in 816ad7a
This moves the metadata prohibition and domain name prohibition from applying to all certificates to only applying to Subscriber certificates (and in particular, to IV/OV/EV). This also corrects the organizationalUnit name to reflect SC47v2.
This only affects the certificatePolicies for OCSP Responders and the naming rules (for all certificates), but shifts to a harmonized date.
This fixes a few unnumbered sections (around validity periods) and adjusts the formatting for several tables to better accomodate the text.
Fixup the OU field
For non-TLS CAs, don't allow them to assert the BR's CP OIDs, as the certificates will not be BR compliant.
In order for the precertificate signing CA to be considered technically constrained, restrict its EKU to only permitting it to issue precertificates. Additionally, add a cross-reference and tweak a MAY to a may, as the paragraph that follows the MAY contains the actual normative requirement, and this is just an informative explainer.
rfc822Name is allowed, and described, in 7.1.2.10.9, as its a translation of the requirements of 3.2.2.4/3.2.2.5/7.1.2.4 of the existing BRs, and there are some CA profiles that allow non-TLS EKUs to be present (for ex, cross-certification). For technically constrained TLS sub-CAs, it was originally present because of Mozilla Root Store Policy, Section 1.1, which requires out-of-scope CAs to constrain on that name type. However, since a TCSC TLS CA MUST NOT include EKUs other than serverAuth & clientAuth, it was seen as unnecessary to even allow rfc822Name.
| #### 7.1.2.4 All Certificates | ||
| | __Qualifier ID__ | __Presence__ | __Field Type__ | __Contents__ | | ||
| | --- | - | - | ----- | | ||
| | `id-qt-cps` (OID: 1.3.6.1.5.5.7.2.1) | MAY | `IA5String` | The HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA. | |
There was a problem hiding this comment.
@sleevi for a cross-cert not operated by the signing TSP, shouldn't the CPSuri point to the subordinate operator's policies? Also, there's a typo on line 2740 (extra "an")
There was a problem hiding this comment.
@wthayer Thanks for the typo flag.
This is actually a transcription of our current policies (7.1.2.2 (a) for Subordinate CAs)
HTTP URL for the Root CA’s Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the CA.
I agree, it's not exactly intuitive. RFC 5280, 4.2.1.4 states:
In an end entity certificate, these policy information terms indicate
the policy under which the certificate has been issued and the
purposes for which the certificate may be used. In a CA certificate,
these policy information terms limit the set of policies for
certification paths that include this certificate.
Ignoring any policyQualifiers for a second, just for the policy identifier, it's clear that it's a restriction on the subordinate CA set by the issuer, in that it limits the 'set of policies for certification paths'.
That said, in practice, I suspect the vast majority of CAs have arguably misissued (per the BRs) the intermediates, by reading the clause as "HTTP URL for (the Root CA's CP, CPS, RPA) or (other pointer to online policy information provided by the CA)", rather than as "HTTP URL for the Root CA's (CP, CPS, RPA, or other pointer to online policy information)", and placed the subordinate CA's CPS URI in the certificate.
RFC 5280 does read somewhat against this practice, but it also fairly "YOLOs", when 4.2.1.4 states:
The CPS Pointer qualifier contains a pointer to a Certification
Practice Statement (CPS) published by the CA. The pointer is in the
form of a URI. Processing requirements for this qualifier are a
local matter. No action is mandated by this specification regardless
of the criticality value asserted for the extension.
"by the CA" seems to be "by this issuer" here, although it's also somewhat unsurprisingly targeted towards end-entity uses, rather than CAs.
There was a problem hiding this comment.
@wthayer Should we take this one to the list? I think this is probably an example of widespread misinterpretation (and thus, potentially, misissuance), but which we benefit from clarity on.
There was a problem hiding this comment.
@sleevi I now agree that the new language isn't a requirement change, so we may want to decouple this from the profiles ballot. Having said that, I agree that it's worth discussing. I'll bring it up on the next Validation call if you don't beat me to it.
There was a problem hiding this comment.
Sounds good.
I think this one could go either way, as hopefully I captured above, and so making this flexible in the profiles ballot is also a viable path (e.g. loosening the present requirement, until we figure out what it should be).
There was a problem hiding this comment.
I did some further (light) checking on this, it looks like DigiCert and Sectigo have been setting it correctly. The only one I found that looked misissued was the (now-expired) Let's Encrypt certificate from IdenTrust, as it had LE's CPS, rather than IdenTrust's.
So it may not be a widespread misinterpretation, but I also agree the current rules may not be great. This change does fix one area of weirdness though, with is if you have:
Root CA (Org 1) -> Cross-Sign CA (Org 2) -> Intermediate (Org 2), then under the existing BRs, "Intermediate" can contain a cPSUri (because it's not an affiliate of the root), but it needs to be Root CA's. The new language here would limit Intermediate (because it's the same as the Issuing CA), while if Intermediate was operated by Org 3, then it could contain Org 2's CPS, rather than Org 1.
It's good you flagged this, because this is a slight change, although it doesn't seem that it's being depended upon. I'll make sure to document as such.
| In addition, the following requirements apply to `subject` Attributes: | ||
|
|
||
| * `subject` Attributes MUST NOT contain only metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable. | ||
| * `subject` Attributes other than `commonName` MUST NOT include a Domain Name or IP Address. |
There was a problem hiding this comment.
Resuming the discussion here since #39 has been closed...
Can you explain a bit more how you believe this is an existing BR requirement? I don't see any obligation in the BRs to validate Domain Names that are not contained in the SAN/CN according to 3.2.2.4.
There was a problem hiding this comment.
From 7.1.2.4
CAs SHALL NOT include a Domain Name or IP Address in a Subject attribute except as specified in Section 3.2.2.4 or Section 3.2.2.5.
From 3.2.2.4
Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or in Subordinate CA Certificates via dNSNames in permittedSubtrees within the Name Constraints extension.
From 9.6.1:
implemented a procedure for verifying that the Applicant either had the right to use, or had control of, the Domain Name(s) and IP address(es) listed in the Certificate’s subject field and subjectAltName extension (or, only in the case of Domain Names, was delegated such right or control by someone who had such right to use or control);
There was a problem hiding this comment.
Isn't the note in 3.2.2.4 clarifying that validation is only required for the SAN dNSNames or permittedSubtrees field of the NC extension? I don't believe it's prohibiting the inclusion of values that conform to Domain Name syntax in other fields. If it did, the current language would prohibit the inclusion of Domain Names in CN.
More fundamentally, any prohibition on Domain Names or IP Addresses from appearing in Subject attributes would have the logical conclusion that any OV/EV Subscriber Certificate today with a countryName value of "US" is mis-issued unless the Applicant asserted control of the entire ".us" TLD. I don't believe that's the state of the WebPKI today, so the current ballot language is more restrictive than the current requirements.
There was a problem hiding this comment.
Isn't the note in 3.2.2.4 clarifying that validation is only required for the SAN dNSNames or permittedSubtrees field of the NC extension?
I've always read it as an upper-bound, not a minimum.
If it did, the current language would prohibit the inclusion of Domain Names in CN.
Well, we already limit things, by requiring the CN contain the SAN, right?
I think we're in agreement that the language, as written, is internally inconsistent. However, I'm not sure how you can hold the current position, since it seems to require ignoring the clear language of 7.1.2.4 and 9.6.1. I wasn't sure: Were you trying to point out the inconsistency (which is trying to be addressed), or were you trying to argue that the overall interpretation holds consistent with the requirements?
I don't believe that's the state of the WebPKI today, so the current ballot language is more restrictive than the current requirements.
"More restrictive" is an interesting choice, because it seems the comparison is between "Don't do it" and "validate the authorization if you do it" (unless you ignore 7.1.2.4/9.6.1). That is, it's only more restrictive if we believe that CAs are presently validating that C=US means the subject is entitled to issue for all of the .us TLD, and that this would forbid it.
But I think that gets to your above point, that you haven't seen the requirements of 7.1.2.4/9.6.1 as "validate every domain name in a(ny) Subject Field", but rather "validate any domain names in (these) Subject fields". That's not what we have presently written, though, but perhaps you can help me understand how you reach that conclusion?
For example, digging in the older BRs, such as when the CA/B Forum allowed domainComponent, which it did until Ballot 148 in Version 1.2.5 (redline)
Of course, even if you look back that far, the language was unambiguous:
CAs SHALL NOT include a Domain Name in a Subject attribute except as specified in Sections 9.2.1
and 9.2.2(a) below
The refactor to the BRs (in v.1.3.0) changed that language to the present form (referencing 3.2.2.4 / 3.2.2.5), but you can see from the discussion, the intent was to preserve the existing requirements.
There was a problem hiding this comment.
But I think that gets to your above point, that you haven't seen the requirements of 7.1.2.4/9.6.1 as "validate every domain name in a(ny) Subject Field", but rather "validate any domain names in (these) Subject fields". That's not what we have presently written, though, but perhaps you can help me understand how you reach that conclusion?
Although it sounds like you don't agree, I believe the Note in 3.2.2.4 makes it clear that validation is only required for values contained in the SAN/NC. The language in 7.1.2.4 and 9.6.1 references 3.2.2.4, so, while not entirely clear, the BRs are not stating there is an obligation to validate other Subject attribute values per 3.2.2.4/5, only those that contain values echoed in the SAN/NC. Otherwise, as I pointed out previously, if the current requirements are to be read that every Subject attribute value that contains a Domain Name or IP Address must be validated by 3.2.2.4/3.2.2.5, then virtually every OV/EV certificate issued today is mis-issued due to the lack of validation of the countryName value as a Domain Name (or other attributes, for that matter). I imagine the vast majority BR readers would find this to be a quite surprising interpretation.
In drafting the ballot language, I think it would be useful to first have a goal in mind. If I understand the concern correctly, we want to ensure that CN values undergo 3.2.2.4/3.2.2.5 validation, as the CN-ID may be used for hostname identification. I am unaware of any standard that defines other attributes as suitable for hostname identification. In other words, if a client implementation is extracting the hostname from the organizationName attribute, then that implementation is flawed. Therefore, I'm not seeing a reason to mandate 3.2.2.4/3.2.2.5 for any attribute besides CN. Can you clarify what your goal is here?
There was a problem hiding this comment.
Personally (i.e. input is needed from others), I think that BOTH organization vetting through government business registries AND 3.2.2.4 validation would be the way to go for organization names that are also domain names before they are allowed in other subject attribute fields. I don't see a need for anyone to put IP addresses in other applicant-controlled fields, so that should just be forbidden.
There was a problem hiding this comment.
OK, this is super helpful, thanks @clintwilson and @BenWilson-Mozilla !
I agree, it’s definitely something worth further discussion during the review. And @CBonnell has rightfully pointed out areas the current language is overbroad, so we can definitely work to address those.
@CBonnell I’ll try to make an update to the language here to clarify, based on the excellent points you’ve raised, and we’ll continue to discuss. But I think the above shows a bit of directional alignment to the goal, and how we fix the existing (but buggy/overly restrictive, as you point out) language.
There was a problem hiding this comment.
This turned out to be rather devilish, so thanks again for raising this. In looking through UTS#46 and related, it understandably is complex to validate this in a reliable, automated fashion (the best kind of validation).
The options here are either taking an overly broad/restrictive approach, which shunts every 'maybe' into a DV case, which I think is fine in theory, but still somewhat tricky to define as such, or attempt to come up with a nuanced approach that still lets "obvious" badness through. For example, the Numbers Period ( https://unicode-table.com/en/blocks/enclosed-alphanumerics/ - U+2488 - U+249B ) that decompose into fullstops, which are not valid IDNA, but which could still be visually confusable (U+2491 0 . 0 . 1) becomes "10.0.0.1"
I'm still needing to do CT examinations for this data to understand the implications for existing certs, but the current thinking for "potential domain name or IP address" language is
- Two or more sequences of two or more characters separated by FULL STOP (U+002E), FULLWIDTH FULL STOP (U+FF03), IDEOGRAPHIC FULL STOP (U+3002), HALFWIDTH IDEOGRAPHIC FULL STOP (U+FF61)
- Note: This ends up not being able to prevent the "Numbers Period" character ranges because of their decomposition, unless they're mapped per IDNA
- Note: This also ends up including/catching "spol. s r.o" (Slovakia), since whitespace is a character (invalid in IDNA, but you don't know until you've processed the string)
- Note: This ends up (incorrectly) allowing
domainComponentdecomposition, which you highlighted in Profiles WIP #36 (comment)
- Any sequence of characters that may be successfully parsed according to the textual representation of an IPv6 address, per RFC 4291, Section 2.2
- Four sequences of digits separated by FULL STOP (U+002E), FULLWIDTH FULL STOP (U+FF03), IDEOGRAPHIC FULL STOP (U+3002), HALFWIDTH IDEOGRAPHIC FULL STOP (U+FF61)
Alternatively, if we accept that (malicious) confusables are possible, for as long as "attacker controlled" strings are present in the Subject (e.g. before any explicit MUST NOT of any other value), then an alternative is just to repurpose the language from Ballot SC48v2, focusing on just the ASCII minimal encodings, and saying no instances (outside of organizationName, per above)
What are your thoughts, while I dig into this?
There was a problem hiding this comment.
A few thoughts:
-
I like the proposal for IPv4 and IPv6 addresses; it addresses the concern with decimal or hex-encoded IP addresses that I raised earlier.
-
My understanding was that the requirement to vet per 3.2.2.4 is applicable solely to attribute values that match Domain Name syntax in its entirety, not necessarily contains/substring match. If the latter, then the logic becomes much more difficult. If the requirement is for substring matches to be vetted, then O values such as "O=Foo Enterprises, Co.Ltd" or "O=United PKI Workers Credit Union of St.Louis" need "Co.Ltd" and "St.Louis" to be vetted, respectively.
-
Performing NFKC normalization on the attribute value string should catch the "Numbers Period" case you outlined above.
-
An additional complication is that some user agents will display the A-label representation of the peer hostname in the address bar if certain checks (confusables, presence of multiple scripts, etc.) fail. Since the
organizationNamevalue is a not a IDNA-aware domain name slot, it will likely not undergo the same UI treatment as the address bar. So even if we write specific rules surrounding non-ASCII characters in theorganizationName, UI display will likely not be consistent across browsers. In other words, restrictions on the allowed set of values encoded in certificates is an incomplete mitigation given that there is no standard for the display of certificate contents in user agents.
I realize the above points aren't a comprehensive treatment of the issue, but I wanted to share them to keep the discussion going.
There was a problem hiding this comment.
My understanding was that the requirement to vet per 3.2.2.4 is applicable solely to attribute values that match Domain Name syntax in its entirety,
No, we discussed on our call yesterday why that's not the case. An O field of "Authorized representative of Example.com, LLC" has the same problem.
then O values such as "O=Foo Enterprises, Co.Ltd" or "O=United PKI Workers Credit Union of St.Louis" need "Co.Ltd" and "St.Louis" to be vetted, respectively.
Yes, it does mean that, by default, the CA would need to block such fields. They can then decide whether to issue a DV certificate (avoiding the issue), or escalating for review to determine if the provisions under (old BRs 7.1.4.2.2(b) / this PR the table), for example, if "Co.Ltd" could be transformed to "Co. Ltd" or "St.Louis" becomes "St. Louis"
This is what makes it a compromise proposal: It avoids the current approach of outright blocking.
Performing NFKC normalization on the attribute value string should catch the "Numbers Period" case you outlined above.
Just making sure I parse this suggestion: Is it that the encoded fields contain the normalized form? Or that the CA needs to normalize, then process, while encoding the un-normalized values? I used "numbers period" as an example, but I think really it's a question of what extent U-Labels are or can be protected against, since plenty of other confusables exist in this problem space. I think that's where we're in agreement?
It doesn't sound like your reply has identified any breaking issues with the proposed approach, other than yes, there are trade-offs, but hopefully in a way that are readily implementable and potentially unambiguous?
It sounds like next steps are for more concrete language to be added, to make sure any other tradeoffs are identified.
This clarifies the language around precerts by: * harmonizing on 'corresponding Certificate' instead of 'equivalent Certificate' * changing 'byte-for-byte equivalent' to 'byte-for-byte identical' to avoid any ambiguity * Rewording the AKI section when using a Precert Signing CA, to avoid stating the same requirement several ways that might be read as giving conflicting or different guidance, and RECOMMENDING/SHOULD harmonizing on the AKI containing the Precert Signing CA's SKI, as the Log is expected to transform and substitute (and all observed logs appear to do so).
| Subject attributes MUST NOT contain only metadata such as '.', '-', and ' ' (i.e. space) characters, and/or any other indication that the value is absent, incomplete, or not applicable. | ||
| * Each `Name` MUST contain an `RDNSequence`. | ||
| * Each `RelativeDistinguishedName` MUST contain exactly one `AttributeTypeAndValue`. | ||
| * Each `RelativeDistinguishedName`, if present, is encoded within the `RDNSequence` in the order that it appears in [Section 7.1.4.2](#7142-subject-attribute-encoding). |
There was a problem hiding this comment.
How would fields need to be handled that are not in the current list? E.g. subject:businessCategory or subject:jurisdictionLocalityName from EVG? I'm also interested to know if there's a source for this requirement, or what's the driver for the ordering?
There was a problem hiding this comment.
You mean, where would these be sorted?
These are requirements derived from the semantics of RFC 5280 and X.509. A DN is hierarchical in semantic naming, and an RDN with multiple elements is saying that these names are semantically equivalent hierarchically.
For the name forms listed, they are not semantically equivalent (e.g. a countryName is not the same hierarchy as a localityName / interchangeable with), and there is a semantic hierarchy.
These are already existing logical requirements, just being made explicit.
There was a problem hiding this comment.
Yes, I wonder about the order of fields not in this list.
I understand the hierarchy to order logic, but is the order defined in Section 7.1.4.2 based on an existing specification, or how did we come to this ordering?
There was a problem hiding this comment.
It is based on the definitions within X.509 and X.520, given these fields are generally geographical in nature.
That said, there’s definitely flexibility here to get us closer to consistency among CAs, which is a key point of profiling, so if there are changes and concerns, it’s totally appropriate to highlight.
Prior relevant art includes RFC 2377, RFC 1218, and RFC 1255
This reworks the presentation and format of the certificatePolicies
extensions, better aligning to the BRs, and hopefully providing
sufficient clarity:
Relaxations:
- Reserved Policy OID is * no longer* required to be first, but is
RECOMMENDED (SHOULD).
- The separation of "Affiliated" and "Unaffiliated" for certificate
policies is removed. This was introduced for Cross-Certified
Sub-CAs, but resulted in some ambiguity about what happens when a
Technically Constrained (non-TLS or nameConstraints) Sub-CA is
operated by a non-Affiliated entity. The requirements around
Affiliation are now folded into a common section, rather than being
two sections.
- Although not permitted by the current BRs, the cPSuri is now
explicitly allowed for all certificate policies (_including_ for
anyPolicy).
- anyPolicy is now explicitly permitted (but NOT RECOMMENDED) for
OCSP Responders
- Reserved CABF OIDs are now explicitly permitted (but NOT RECOMMENDED)
for OCSP Responders.
Clarifications:
- A note is added to the OCSP Responder section explaining that
because CPs limit the validity and purposes of a certificate, it
becomes possible to create an "invalid" responder that clients will
reject (and thus also reject responses), and that this is part of
the reason for forbidding.
- For TLS certificates, the requirements for CPs for sub-CAs versus
leaf certificates had a slightly different wording: whether a given
CP needed to be documented by the CA (e.g. could be any policy,
including a reserved CP or anyPolicy) or needed to be _defined_ and
documented by the CA (i.e. must be from the CA's own OID arc). This
harmonizes the language for TLS ("defined by"), while still leaving a
fairly large carveout for non-TLS ("documented").
Comparison of Changes to v1.8.1
Definitions
Cleanups
iPAddresscan appear, as that's now reflected in the profiles themselves.subjectAltNamerequirements, as thesubjectAltNamewas refactored.Root CA Certificates (7.1.2.1)
The scope of what classifies for this section is addressed in Section 1.6.1 of the BRs.
version: RFC 5280, Section 4.1.2.1 states "When extensions are used, as expected in this profile, version MUST be 3 (value is 2)". Extensions are always used.serialNumber: RFC 5280, Section 4.1.2.2 states "the serial number MUST be a positive integer". Further, it notes that zero is not positive, as "Note: non-conforming CAs may issue certificates with serial numbers that are negative or zero." Section 7.1 of the BRs requires that at least 64 bits of output from a CSPRNG.signature: Unchanged. This continues to be addressed by BRs 7.1.3.2issuer: Unchanged. This was previously within BRs 7.1.4.1validity: This is a new requirement. The validity intervals were chosen based on the Microsoft Root Program requirements, A.3.subject: BRs 7.1.4.3 already requiredcountryName,organizationName, andcommonName, and set forth rules for validating. All other fields were to be required to be validated as set forth in the CA's CP/CPS. This profile extends guidance for the semantics ofstateOrProvinceName,localityName,postalCode, andstreetAddress, in line with the BRs existing gudance for Subscriber Certificates (7.1.4.2.2). Although these are left as MAY in v1, the intent is to move them to NOT RECOMMENDED/MUST NOT in v2 (for new certificates).issuerUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"subjectUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"signatureAlgorithm: RFC 5280, Section 4.1.2.2 states "This field MUST contain the same algorithm identifier as the signature field in the sequence tbsCertificate"Extensions
authorityKeyIdentifier:keyIdentifier: RFC 5280, 4.2.1.1 states "The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction. There is one exception; where a CA distributes its public key in the form of a "self-signed" certificate, the authority key identifier MAY be omitted." Although this MAY indicates it is optional for root certificates (with good reason), this profile continues to RECOMMEND that it be included, as this helps assist applications such as Microsoft Windows (among several), which can prioritize matches between thesubjectKeyIdentifierandauthorityKeyIdentifierover matches likesubjectandissuername. In the absence of anauthorityKeyIdentifieron the root, a cross-signed certificate may receive higher preference than the self-signed root, resulting in longer chains and more expensive path processing.authorityCertIssuer: This is a new requirement. This is partially derived from Mozilla Root Store Policy, which restricts the inclusion. However, it is also explicitly restricted for efficiency: theauthorityCertIssuer/authorityCertSerialNumbermethod ofauthorityKeyIdentifiers is less efficient to transmit and process. This is not broadly supported in Web PKI implementations, nor necessary for Web PKI.authorityCertSerialNumber: This is a new requirement. This is partially derived from Mozilla Root Store Policy, which restricts the inclusion. However, it is also explicitly restricted for efficiency: theauthorityCertIssuer/authorityCertSerialNumbermethod ofauthorityKeyIdentifiers is less efficient to transmit and process. This is not broadly supported in Web PKI implementations, nor necessary for Web PKI.authorityCertIssuerandauthorityCertSerialNumberalign with BRs 7.1.2.2 (h), for subordinate CAs.basicConstraints: RFC 5280, Section 4.2.1.9 and BRs 7.1.2.1 (a)keyUsage: BRs 7.1.2.1 (b) already explicitly require usages be asserted. A new requirement/clarification makes it clear that other usages MUST NOT be asserted. This is derived from the fact that CA private keys must not be used except as specified.subjectKeyIdentifier: RFC 5280, Section 4.2.1.2 states "... this extension MUST appear in all conforming CA certificates ...", and sets forth expected semantics. A new requirement is introduced, in line with the remarks with respect toauthorityKeyIdentifier, that the SKI needs to be unique for each unique public key. Multiple certificates for the same public key can share the same SKI, but different public keys should not.extKeyUsage: BRs 7.1.2.1 (d)certificatePolicies: BRs 7.1.2.1 (c). When present, this aligns with subordinate CAs, previously expressed in BRs 7.1.2.2 (a)Cross-Certified Subordinate CA (7.1.2.2)
This is meant to capture any time a certificate is issued with the same name and key of an existing certificate.
The first time a name and key are used, the CA uses one of 7.1.2.3, 7.1.2.4, 7.1.2.5, or 7.1.2.6. However, if that name or key are reused, then the profile of 7.1.2.2 applies.
This means, for example, if a CA is performing a CA key signing ceremony under one of 7.1.2.3 - 7.1.2.6, and a mistake is made and detected (e.g. post-issuance linting), before performing the ceremony again, the CA MUST confirm that the requirements of 7.1.2.2 are met OR they must use a new name and key. This is explicitly intentional, to reduce the risk of "buggy" certificates using the same name and key as "good" certificates, and to ensure that ceremonies are carefully reviewed. Changing the name OR the key is sufficient to allow both ceremonies to be performed under 7.1.2.3 - 7.1.2.6, although in general, changing the key will be best, due to the interplay with
subjectKeyIdentifier.version: RFC 5280, Section 4.1.2.1 states "When extensions are used, as expected in this profile, version MUST be 3 (value is 2)". Extensions are always used.serialNumber: RFC 5280, Section 4.1.2.2 states "the serial number MUST be a positive integer". Further, it notes that zero is not positive, as "Note: non-conforming CAs may issue certificates with serial numbers that are negative or zero." Section 7.1 of the BRs requires that at least 64 bits of output from a CSPRNG.signature: Unchanged. This continues to be addressed by BRs 7.1.3.2issuer: Unchanged. This was previously within BRs 7.1.4.1validity: This is a new requirement. ThenotBeforedate is allowed to be any date in the range of [earliest in-scope doppelganger CA'snotBefore, signing time], to allow existing certificates (with anotBeforeearlier than the current time) to continue to work with the new Cross-Certified Subordinate CA, and to assist in path building for applications that prioritize paths based on thenotBeforedate. ThenotAfterdate does not have an upper-bound defined, as applications may also prioritize paths based onnotBeforebeing earlier, or later, than other doppelganger CAs.subject:countryName,organizationName, andcommonName, and set forth rules for validating. All other fields were to be required to be validated as set forth in the CA's CP/CPS. This profile extends guidance for the semantics ofstateOrProvinceName,localityName,postalCode, andstreetAddress, in line with the BRs existing gudance for Subscriber Certificates (7.1.4.2.2). Although these are left as MAY in v1, the intent is to move them to NOT RECOMMENDED/MUST NOT in v2 (for new certificates).streetAddressorlocalityName, provided that it complied with the rules at the time of issuance, such as the old rules of just requiring it be documented in the CA's CP/CPS.issuerUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"subjectUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"signatureAlgorithm: RFC 5280, Section 4.1.2.2 states "This field MUST contain the same algorithm identifier as the signature field in the sequence tbsCertificate"Extensions
authorityKeyIdentifier: BRs 7.1.2.2 (h)basicConstraints: RFC 5280, Section 4.2.1.9 and BRs 7.1.2.2 (d)certificatePolicies: This is a mix of clarifications and new requirements.anyPolicystates "MAY contain the anyPolicy identifier (2.5.29.32.0) in place of an explicit policy identifier." Both individually and together, these mean thatanyPolicyis mutually exclusive with any other policies.policyQualifiersis NOT RECOMMENDED for non-Affiliated CAs.policyQualifierofcPSUriwhen the CA is not an Affiliate of the Issuing CA. This is whypolicyQualifiersis MUST NOT for Affiliated-CAs.crlDistributionPoints: This is a new requirement.DistributionPoints, each with one URL in thefullName, or as a singleDistributionPointwith multiplefullNames. Given that differences inDistributionPointare meant to reflect different scopes, this encourages the latter approach, of multiplefullNames, which mostly aligns with existing practice. This does not yet forbid multipleDistributionPoints, but that is planned for a follow-up ballot.reasonsor attempt to use delegated CRL signing certificates (cRLIssuer), as neither are well-supported in existing clients and introduce significant complexity. CAs are still permitted to split CRLs bydistributionPointURL (aka "sharding"), provided they ensure that theissuingDistributionPointextension in the CRL is critical, as required by RFC 5280, 5.2.5 for such scenarios.keyUsage: BRs 7.1.2.1 (b) already explicitly require usages be asserted. A new requirement/clarification makes it clear that other usages MUST NOT be asserted. This is derived from the fact that CA private keys must not be used except as specified.subjectKeyIdentifier: RFC 5280, Section 4.2.1.2 states "... this extension MUST appear in all conforming CA certificates ..."extKeyUsage: This is a new requirement.authorityInformationAccess: This is a new requirement.crlDistributionPoints, the ordering of URLs implies processing semantics on clients, and only particular URL schemes are supported. Namely, if one of the two supported access methods are present (CA issuer or OCSP), then the only URLs present MUST be HTTP URLs, and MUST be listed in order of priority.nameConstraints:nameConstraints, but some concern was raised whether or not those rules only apply in the context of Technically Constrained Sub-CAs, or if those rules also extended to certificates that were capable of TLS issuance, but which didn't meet the Technically Constrained definition. BRs 7.1.2.4 sets rules in general for extensions, which would apply here, and 3.2.2.4 / 3.2.2.5 further expressed rules around the field. This restructures the definition to make it unambiguous that anynameConstraintextension needs to, minimally, match these requirements.rfc822Nameare introduced. This is to account for the fact that a Technically Constrained Non-TLS Sub-CA is still within scope of the BRs, if it is issued by an in-scope Issuing CA. In order for that non-TLS Sub-CA to also be seen as technically constrained for its purpose (e.g. technically constrained for email), it's necessary to be explicit thatrfc822Nameis permitted. The existing rules from 7.1.2.4 would apply to anyrfc822Nameconstraint, and this attempts to derive the functional requirements for this field, also in line with the existing requirements of 3.2.2.4 / 3.2.2.5. Although not intended to be seen as a "new" requirement, as these are reflected through the combination of existing requirements and clauses, it may be seen as such.otherNameand other name forms are derived from BRs 7.1.2.4. Making these MUST NOT was deferred to v2.Technically Constrained Non-TLS Subordinate CA (7.1.2.3)
This is a new profile meant to capture a "not used for TLS" intermediate. When issued from a TLS-capable CA (e.g. one with no EKU restrictions), the issuance is still subject to the BRs, but any operation - such as private key protection, auditing, logging, issuance beneath - are seen as out of scope. The purpose of this profile is to ensure that such issuance aligns with RFC 5280 and the BRs, such that it can be seen as reduced risk.
Note, however, that it relies on using EKU to exclude from scope. Not all applications support this logic or behaviour, and so root programs MAY still set further requirements, including the use of audits. It MAY be that this form of issuance is prohibited in the future from BR-compliant CAs.
version: RFC 5280, Section 4.1.2.1 states "When extensions are used, as expected in this profile, version MUST be 3 (value is 2)". Extensions are always used.serialNumber: RFC 5280, Section 4.1.2.2 states "the serial number MUST be a positive integer". Further, it notes that zero is not positive, as "Note: non-conforming CAs may issue certificates with serial numbers that are negative or zero." Section 7.1 of the BRs requires that at least 64 bits of output from a CSPRNG.signature: Unchanged. This continues to be addressed by BRs 7.1.3.2issuer: Unchanged. This was previously within BRs 7.1.4.1validity: This is a new requirement. ThenotBeforeis permitted to be backdated up to 1 day. ThenotAftermust be equal to or later than the time of signing, and thus prohibits signing expired CAs.subject: BRs 7.1.4.3 already requiredcountryName,organizationName, andcommonName, and set forth rules for validating. All other fields were to be required to be validated as set forth in the CA's CP/CPS. This profile extends guidance for the semantics ofstateOrProvinceName,localityName,postalCode, andstreetAddress, in line with the BRs existing gudance for Subscriber Certificates (7.1.4.2.2). Although these are left as MAY in v1, the intent is to move them to NOT RECOMMENDED/MUST NOT in v2 (for new certificates).issuerUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"subjectUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"signatureAlgorithm: RFC 5280, Section 4.1.2.2 states "This field MUST contain the same algorithm identifier as the signature field in the sequence tbsCertificate"Extensions
authorityKeyIdentifier: BRs 7.1.2.2 (h)basicConstraints: RFC 5280, Section 4.2.1.9 and BRs 7.1.2.2 (d)certificatePolicies: This attempts to clarify the existing 7.1.6.3 as it applies to non-TLS CAsanyPolicypolicyQualifierwierdness for affiliated CAcrlDistributionPoints: This is a new requirement.DistributionPoints, each with one URL in thefullName, or as a singleDistributionPointwith multiplefullNames. Given that differences inDistributionPointare meant to reflect different scopes, this encourages the latter approach, of multiplefullNames, which mostly aligns with existing practice. This does not yet forbid multipleDistributionPoints, but that is planned for a follow-up ballot.reasonsor attempt to use delegated CRL signing certificates (cRLIssuer), as neither are well-supported in existing clients and introduce significant complexity. CAs are still permitted to split CRLs bydistributionPointURL (aka "sharding"), provided they ensure that theissuingDistributionPointextension in the CRL is critical, as required by RFC 5280, 5.2.5 for such scenarios.keyUsage: BRs 7.1.2.1 (b) already explicitly require usages be asserted. A new requirement/clarification makes it clear that other usages MUST NOT be asserted. This is derived from the fact that CA private keys must not be used except as specified.subjectKeyIdentifier: RFC 5280, Section 4.2.1.2 states "... this extension MUST appear in all conforming CA certificates ..."extKeyUsage: This clarifies existing requirements.id-kp-serverAuthand recommending against multiple key purposes.authorityInformationAccess: This is a new requirement.crlDistributionPoints, the ordering of URLs implies processing semantics on clients, and only particular URL schemes are supported. Namely, if one of the two supported access methods are present (CA issuer or OCSP), then the only URLs present MUST be HTTP URLs, and MUST be listed in order of priority.nameConstraints:nameConstraints, but some concern was raised whether or not those rules only apply in the context of Technically Constrained Sub-CAs, or if those rules also extended to certificates that were capable of TLS issuance, but which didn't meet the Technically Constrained definition. BRs 7.1.2.4 sets rules in general for extensions, which would apply here, and 3.2.2.4 / 3.2.2.5 further expressed rules around the field. This restructures the definition to make it unambiguous that anynameConstraintextension needs to, minimally, match these requirements.rfc822Nameare introduced. This is to account for the fact that a Technically Constrained Non-TLS Sub-CA is still within scope of the BRs, if it is issued by an in-scope Issuing CA. In order for that non-TLS Sub-CA to also be seen as technically constrained for its purpose (e.g. technically constrained for email), it's necessary to be explicit thatrfc822Nameis permitted. The existing rules from 7.1.2.4 would apply to anyrfc822Nameconstraint, and this attempts to derive the functional requirements for this field, also in line with the existing requirements of 3.2.2.4 / 3.2.2.5. Although not intended to be seen as a "new" requirement, as these are reflected through the combination of existing requirements and clauses, it may be seen as such.otherNameand other name forms are derived from BRs 7.1.2.4. Making these MUST NOT was deferred to v2.Technically Constrained Precertificate Signing CA (7.1.2.4)
This attempts to clarify the role of Precertificate Signing CAs in the BRs. Under RFC 6962, a Precertificate Signing CA's EKU extension only needs to contain the Precertificate Signing Certificate EKU, and CT Logs are supposed to ignore any EKU chaining restrictions when validating precertificates from this CA. In this scenario, the BRs 7.1.5 rules for Name Constraints would suggest that such a CA is Technically Constrained.
BUG/TODO: Fix this
Technically Constrained TLS Subordinate CA (7.1.2.5)
This profile is otherwise identical to the general Subordinate TLS CA Profiles, with the exception of
nameConstraintsbeing required.version: RFC 5280, Section 4.1.2.1 states "When extensions are used, as expected in this profile, version MUST be 3 (value is 2)". Extensions are always used.serialNumber: RFC 5280, Section 4.1.2.2 states "the serial number MUST be a positive integer". Further, it notes that zero is not positive, as "Note: non-conforming CAs may issue certificates with serial numbers that are negative or zero." Section 7.1 of the BRs requires that at least 64 bits of output from a CSPRNG.signature: Unchanged. This continues to be addressed by BRs 7.1.3.2issuer: Unchanged. This was previously within BRs 7.1.4.1validity: This is a new requirement. ThenotBeforeis permitted to be backdated up to 1 day. ThenotAftermust be equal to or later than the time of signing, and thus prohibits signing expired CAs.subject: BRs 7.1.4.3 already requiredcountryName,organizationName, andcommonName, and set forth rules for validating. All other fields were to be required to be validated as set forth in the CA's CP/CPS. This profile extends guidance for the semantics ofstateOrProvinceName,localityName,postalCode, andstreetAddress, in line with the BRs existing gudance for Subscriber Certificates (7.1.4.2.2). Although these are left as MAY in v1, the intent is to move them to NOT RECOMMENDED/MUST NOT in v2 (for new certificates).issuerUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"subjectUniqueID: RFC 5280, Section 4.1.2.8, states "CAs conforming to this profile MUST NOT generate certificates with unique identifiers"signatureAlgorithm: RFC 5280, Section 4.1.2.2 states "This field MUST contain the same algorithm identifier as the signature field in the sequence tbsCertificate"Extensions
authorityKeyIdentifier: BRs 7.1.2.2 (h)basicConstraints: RFC 5280, Section 4.2.1.9 and BRs 7.1.2.2 (d)certificatePolicies: This is a mix of clarifications and new requirements.anyPolicystates "MAY contain the anyPolicy identifier (2.5.29.32.0) in place of an explicit policy identifier." Both individually and together, these mean thatanyPolicyis mutually exclusive with any other policies.policyQualifiersis NOT RECOMMENDED for non-Affiliated CAs.policyQualifierofcPSUriwhen the CA is not an Affiliate of the Issuing CA. This is whypolicyQualifiersis MUST NOT for Affiliated-CAs.crlDistributionPoints: This is a new requirement.DistributionPoints, each with one URL in thefullName, or as a singleDistributionPointwith multiplefullNames. Given that differences inDistributionPointare meant to reflect different scopes, this encourages the latter approach, of multiplefullNames, which mostly aligns with existing practice. This does not yet forbid multipleDistributionPoints, but that is planned for a follow-up ballot.reasonsor attempt to use delegated CRL signing certificates (cRLIssuer), as neither are well-supported in existing clients and introduce significant complexity. CAs are still permitted to split CRLs bydistributionPointURL (aka "sharding"), provided they ensure that theissuingDistributionPointextension in the CRL is critical, as required by RFC 5280, 5.2.5 for such scenarios.keyUsage: BRs 7.1.2.1 (b) already explicitly require usages be asserted. A new requirement/clarification makes it clear that other usages MUST NOT be asserted. This is derived from the fact that CA private keys must not be used except as specified.subjectKeyIdentifier: RFC 5280, Section 4.2.1.2 states "... this extension MUST appear in all conforming CA certificates ..."extKeyUsage: This attempts to clarify existing requirements.id-kp-serverAuthand (as a MAY)id-kp-clientAuthare permitted.authorityInformationAccess: This is a new requirement.crlDistributionPoints, the ordering of URLs implies processing semantics on clients, and only particular URL schemes are supported. Namely, if one of the two supported access methods are present (CA issuer or OCSP), then the only URLs present MUST be HTTP URLs, and MUST be listed in order of priority.nameConstraints:dNSName,iPAddress, andDirectoryNamerfc822Nameare introduced.otherNameand other name forms are derived from BRs 7.1.2.4. Making these MUST NOT was deferred to v2.