Mozilla will endorse. On Fri, Sep 6, 2024 at 7:21 AM Paul van Brouwershaven via Validation < validation@cabforum.org> wrote:
> Following yesterday's discussion in the validation subcommittee > teleconference, we are now seeking two members to endorse the ballot. > Feedback is also welcome, either here or on the pull request. > > ### Purpose of the Ballot > > This ballot duplicates the content of section 7.1.2.10.5 (CA Certificate > Certificate Policies) into section 7.1.2.2 (Cross-Certified Subordinate CA > Certificate Profile) as section 7.1.2.2.6 (Cross-Certified Subordinate CA > Certificate Certificate Policies), modifying the requirement from "MUST > contain exactly one Reserved Certificate Policy Identifier" to "MUST > include at least one Reserved Certificate Policy Identifier" to allow the > inclusion of multiple Reserved Certificate Policy Identifiers in a > Cross-Certified Subordinate CA Certificate. > > The following motion has been proposed by Paul van Brouwershaven (Entrust) > and endorsed by XXX (XXX) and XXX (XXX). > > GitHub pull request for this ballot: > https://github.com/cabforum/servercert/pull/544 > > ### Motion begins > > MODIFY the "Baseline Requirements for the Issuance and Management of > Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") > based on Version 2.0.6 as specified in the following redline: > > > https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...89f80028b40ce6a1a5c52b406d37e5534460a1a1 > > ### Motion ends > > This ballot proposes a Final Maintenance Guideline. The procedure for > approval of this ballot is as follows: > > Discussion (7+ days) > > - Start time: TBC > - End time: TBC > > Vote for approval (7 days) > > - Start time: TBC > - End time: TBC > ------------------------------ > *From:* Validation <validation-boun...@cabforum.org> on behalf of Paul > van Brouwershaven via Validation <validation@cabforum.org> > *Sent:* Thursday, September 5, 2024 16:40 > *To:* CABforum3 <validation@cabforum.org> > *Subject:* [EXTERNAL] [cabf_validation] Section 7.1.2.10.5 CA Certificate > Certificate Policies for cross signing certificates > > We would like to clarify the following requirement in section 7. 1. 2. 10. > 5 CA Certificate Certificate Policies, specifically for cross signing > certificates. RFC 5280 states that you can have one CertPolicyId within the > PolicyInformation, see below: > We would like to clarify the following requirement in section 7.1.2.10.5 > CA Certificate Certificate Policies, specifically for cross signing > certificates. > > RFC 5280 states that you can have one CertPolicyId within the > PolicyInformation, see below: > > *certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation* > > *PolicyInformation ::= SEQUENCE {* > * policyIdentifier **CertPolicyId**,* > * policyQualifiers SEQUENCE SIZE (1..MAX) OF* > * PolicyQualifierInfo OPTIONAL }* > > *CertPolicyId **::= OBJECT IDENTIFIER* > > Section 7.1.2.10.5 of the TLS BR states for the policyIdentifier: > > *The CA MUST include **at least one** Reserved Certificate Policy > Identifier (see Section 7.1.6.1) associated with the given Subscriber > Certificate type (see Section 7.1.2.7.1) directly or transitively issued by > this Certificate.* > > This 'at least one' seems to contradict RFC 5280 which indicates that we > can only have one policyIdentifier in the PolicyInformation sequence. > > Then at the bottom of this section the TLS BRs states that entire > certificate policies extension MUST contain exactly one Reserved > Certificate Policy Identifier: > > *Regardless of the order of PolicyInformation values, the Certificate > Policies extension **MUST contain exactly one** Reserved Certificate > Policy Identifier.* > > While we can repeat the PolicyInformation within the certificatePolicies > extension does this mean that CAs are prohibited from issuing a cross > signing certificate (from a multi-purpose root to another multi-purpose > root) with policy contrains that include DV, OV and EV reserved certificate > policy identifiers. If our reading of this section is correct, this would > mean that CAs need to issue three seperate cross signing certificates in > that case. > > Paul > > > > *Any email and files/attachments transmitted with it are intended solely > for the use of the individual or entity to whom they are addressed. If this > message has been sent to you in error, you must not copy, distribute or > disclose of the information it contains. Please notify Entrust immediately > and delete the message from your system.* > _______________________________________________ > Validation mailing list > Validation@cabforum.org > https://lists.cabforum.org/mailman/listinfo/validation >
_______________________________________________ Validation mailing list Validation@cabforum.org https://lists.cabforum.org/mailman/listinfo/validation