Kathleen -
My interpretation of a "No Stipulation" in a CP is that the Policy has "No
rules defined for this section"
In these cases, I expect the CPS to state what is actually done in support of
that section and therefore "No Stipulation" is not appropriate in a CPS. The
CPS should instead state whether or not they implement anything in response to
that section or if they consider that section Not Applicable because there are
no stated requirements.
It can mean slightly different things in different sections so for example
1.3.5 Other Participants - I would expect the CPS to list what other
participants might be involved
Where as
3.1.5 Uniqueness of Names - I would expect the CPS to state whether or not they
enforce Uniqueness of names and if they do - how this is enforced
In a TLS CP/CPS that adheres to the BRs, I would expect the CPS to clearly
state which of the validation methods is supported and how, where the CP may
leave this up to individual subordinate CAs by having No Stipulation at the CP
level. For these sections I would expect the CPS to either state the method is
not supported or it is and how. "Not applicable" would not be appropriate.
Thanks, (just my personal opinion)
Wendy Brown
Protiviti Government Services
703-299-4705 (office) 703-965-2990 (cell)
wendy.br...@protiviti.com
-----------------------------
Date: Tue, 9 Oct 2018 09:48:26 -0700
From: Kathleen Wilson <kwil...@mozilla.com>
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: What does "No Stipulation" mean, and when is it OK to use it
in CP/CPS?
Message-ID: <n5sdneed28pgrihgnz2dnuu7-fpnn...@mozilla.org>
Content-Type: text/plain; charset=utf-8; format=flowed
All,
I would like to create some written rules about using "No Stipulation"
in CP and CPS documents; e.g. what it means, and when it is OK to be used.
First, I will appreciate your thoughts about what the term "No Stipulation"
means. e.g. does it mean one or all of the following?
"No rules defined for this section"
"This section is not applicable"
"This section is not allowed"
"This section is not used"
Can "No Stipulation" mean different things based on the context of the section?
For example
"1.3.5 Other Participants
No stipulation."
Does that mean ?no other participants are allowed??
Here is what RFC 3647 says about the term:
""
While many topics are identified, it is not necessary for a CP or a
CPS to include a concrete statement for every such topic. Rather, a
particular CP or CPS may state "no stipulation" for a component,
subcomponent, or element on which the particular CP or CPS imposes no
requirements or makes no disclosure. In this sense, the list of
topics can be considered a checklist of topics for consideration by
the CP or CPS writer.
It is recommended that each and every component and subcomponent be
included in a CP or CPS, even if there is "no stipulation"; this will
indicate to the reader that a conscious decision was made to include
or exclude a provision concerning that topic. This drafting style
protects against inadvertent omission of a topic, while facilitating
comparison of different certificate policies or CPSs, e.g., when
making policy mapping decisions.
""
It seems a little ambiguous to me, so I would like to have a written statement
about what "No Stipulation" means within CP and CPS documents, especially in
regards to SSL certificate issuance.
Here are two examples that I've seen recently.
== Example 1 ==
In this situation, the CA has one CP that covers different types of roots, so
the CPS for the different roots has the details. There is no further detailed
public documentation beyond the CPS.
In the CA's CP:
3.1.2 Need for Names to be Meaningful
No Stipulation
3.1.5 Uniqueness of Names
No Stipulation
3.2.2.1 Identity
No Stipulation
3.2.2.2 DBA/Tradename
No Stipulation
3.2.2.3 Verification of Country
No Stipulation
3.2.2.4 Validation of Domain Authorization or Control No Stipulation
3.2.2.4.1 Validating the Applicant as a Domain Contact No Stipulation
3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact No Stipulation
3.2.2.4.3 Phone Contact with Domain Contact No Stipulation
3.2.2.4.4 Constructed Email to Domain Contact No Stipulation
3.2.2.4.5 Domain Authorization Document
No Stipulation
3.2.2.4.6 Agreed-Upon Change to Website
No Stipulation
3.2.2.4.7 DNS Change
No Stipulation
3.2.2.4.8 IP Address
No Stipulation
3.2.2.4.9 Test Certificate
No Stipulation
3.2.2.4.10 TLS Using a Random Number
No Stipulation
3.2.2.4.11 Any Other Method
This method has been retired and MUST NOT be used.
3.2.2.4.12 Validating Applicant as a Domain Contact No Stipulation
3.2.2.5 Authentication for an IP Address No Stipulation
3.2.2.6 Wildcard Domain Validation
No Stipulation
3.2.2.7 Data Source Accuracy
No Stipulation
3.2.2.8 CAA Records
No Stipulation
3.2.3 Authentication of Individual Identity No Stipulation
3.2.4 Non-Verified Subscriber Information No Stipulation
4.7.4 Notification of New Certificate Issuance to Subscriber No stipulation
4.9.7 CRL Issuance Frequency
No Stipulation.
4.9.10 On-Line Revocation Checking Requirements No Stipulation
5.4.6 Audit Log Accumulation System (Internal vs. External) No Stipulation
6.1.5 Key Sizes
No Stipulation
6.2.3 Private Key Escrow
No Stipulation
6.2.5 Private Key Archival
No Stipulation
6.2.6 Private Key Transfer into or from a Cryptographic Module No Stipulation
6.2.9 Deactivating Private Keys
No Stipulation
6.3.2 Certificate Operational Periods and Key Pair Usage Periods No Stipulation
6.7 NETWORK SECURITY CONTROLS
No stipulation
The relevant CPS has the following sections with No Stipulation:
3.1.5 Uniqueness of Names
No Stipulation
3.2.2.5 Authentication for an IP Address No Stipulation
3.2.2.6 Wildcard Domain Validation
No Stipulation
4.7.4 Notification of New Certificate Issuance to Subscriber No Stipulation
5.4.6 Audit Log Accumulation System (Internal vs. External) No Stipulation
6.2.3 Private Key Escrow
No Stipulation
6.2.5 Private Key Archival
No Stipulation
6.2.6 Private Key Transfer into or from a Cryptographic Module No Stipulation
6.2.9 Deactivating Private Keys
No Stipulation
In this example you can see that the CA clarifies in the CPS which domain
validation methods can be used.
I'm not sure how to interpret the sections listed above that have "No
Stipulation" in both the CP and the CPS.
For instance, when I see "3.2.2.5 Authentication for an IP Address" with "No
Stipulation" in the CPS, it is not clear to me if the CA does not allow for IP
Addresses to be included in SSL certs, or if the CA just allows any form of
verification of IP Addresses.
== Example 2 ==
In the following situation, the CA does not have a separate CP document.
This one CPS document is the only public document about the CA's
policies/practices.
1.3.5 Other Participants
No stipulation.
3.2.2.4.1 Validating the Applicant as a Domain Contact No stipulation.
3.2.2.4.5 Domain Authorization Document
No stipulation.
3.2.2.4.9 Test Certificate
No stipulation
3.2.2.4.10 TLS Using a Random Number
No stipulation
3.2.2.4.11 Any Other Method
No stipulation
3.2.2.4.12 Validating Applicant as a Domain Contact No stipulation
3.2.4 Non-verified Subscriber Information No stipulation.
4.2.2 Approval or Rejection of Certificate Applications No stipulation.
4.4.1 Conduct Constituting Certificate Acceptance No stipulation.
4.4.2 Publication of the Certificate by the CA No stipulation.
4.5 Key Pair and Certificate Usage
No stipulation.
4.5.1 Subscriber Private Key and Certificate Usage No stipulation.
4.5.2 Relying Party Public Key and Certificate Usage No stipulation.
4.7 Certificate Re-key
No stipulation.
4.7.1 Circumstance for Certificate Re-key No stipulation.
4.7.2 Who May Request Certification of a New Public Key No stipulation.
4.7.3 Processing Certificate Re-keying Requests No stipulation.
4.7.4 Notification of New Certificate Issuance to Subscriber No stipulation.
4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate No stipulation.
4.7.6 Publication of the Re-keyed Certificate by the CA No stipulation.
4.7.7 Notification of Certificate Issuance by the CA to Other Entities No
stipulation.
4.9.8 Maximum Latency for CRLs
No stipulation.
4.9.13 Circumstances for Suspension
No stipulation.
4.9.14 Who Can Request Suspension
No stipulation.
4.9.15 Procedure for Suspension Request
No stipulation.
4.9.16 Limits on Suspension Period
No stipulation.
4.12 Key Escrow and Recovery
No stipulation.
4.12.1 Key Escrow and recovery Policy Practices No stipulation.
5.2.4 Roles Requiring Separation of Duties No stipulation.
5.4.4 Protection of Audit Log
No stipulation.
5.4.5 Audit Log Backup Procedures
No stipulation.
5.4.6 Audit Collection System
No stipulation.
5.7.3 Entity Private Key Compromise Procedures No stipulation.
6.5.2 Computer Security Rating
No stipulation.
7.1.5 Name Constraints
No stipulation.
In this situation, is it reasonable to assume that the domain validation
procedures that have "No Stipulation" are not used? Or should the CA be
required to use specific language to indicate that?
Is it OK for the CA to say "No Stipulation" in all of the sections listed above?
What does "No Stipulation" mean in each of the sections listed above?
==
As always, I will greatly appreciate your thoughtful and constructive input on
this discussion.
Thanks,
Kathleen
NOTICE: Protiviti is a global consulting and internal audit firm composed of
experts specializing in risk and advisory services. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on
financial statements or offer attestation services. This electronic mail
message is intended exclusively for the individual or entity to which it is
addressed. This message, together with any attachment, may contain confidential
and privileged information. Any views, opinions or conclusions expressed in
this message are those of the individual sender and do not necessarily reflect
the views of Protiviti Inc. or its affiliates. Any unauthorized review, use,
printing, copying, retention, disclosure or distribution is strictly
prohibited. If you have received this message in error, please immediately
advise the sender by reply email message to the sender and delete all copies of
this message. Thank you.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
