New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SC35: Cleanups and Clarifications #208
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates
Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html
Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>
* Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.)
sleevi
changed the title
(Draft Ballot): Cleanups and Clarifications (without SC30 and SC31 version)
(Draft Ballot): Cleanups and Clarifications
Aug 25, 2020
sleevi
force-pushed
the
2020-04-01-Cleanups
branch
from
August 25, 2020 01:44
9cb110f
to
884eef6
Compare
sleevi
changed the title
(Draft Ballot): Cleanups and Clarifications
SC35: Cleanups and Clarifications
Aug 25, 2020
dzacharo
added a commit
that referenced
this pull request
Sep 14, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
dzacharo
added a commit
that referenced
this pull request
Oct 16, 2020
* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
wthayer
pushed a commit
that referenced
this pull request
Oct 19, 2020
* Ballot SC28v6: Logging and Log Retention (#222) Add SC28 * SC35: Cleanups and Clarifications (#208) (#223) * Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> * Update version numbers and cover pages. * Update effective date to 2020-10-19. * Update version for the cover page Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This ballot attempts to fix the numerous typographical and editorial issues that have been identified in the SCWG documents ("spring cleanup"), such as incorrect section references, expired effective dates, or spelling and grammatical mistakes. Additionally, it attempts to provide guidance and clarification for language that has been viewed as ambiguous, multiple, or conflicting interpretations.
Changes
EV Guidelines
Baseline Requirements
Revocation Clarifications
The following are an attempt to clarify the logical consequences of the various policies surrounding weak and compromised keys ( #164 )
However, keys that may have been generated with a flawed method, or there's a method which exposes a key to compromise (e.g. a signing oracle, Heartbleed), those remain at 5 days.
The distinction between these two sets is whether the public key alone is sufficient to compromise the key; if it is, the CA MUST treat it as compromised. However, if there are other factors (e.g. it requires additional state from an RNG, requires interacting with a service or use of the key), then those are left at 5 days, unless someone has already done so, at which point, it's a Key Compromise.
Section 6.1.1.3 is similar reworked, to make it clearer that if a certificate will be immediately revoked due to one of the Private Key (flawed, weak, compromised), then the CA MUST NOT issue the certificate. A CA that continually issued certificates to weak keys, and then revoked them, effectively bypasses revocation by allowing such keys to be used for between 72 hours and 10 days (depending on the lifetime of the CRL/OCSP and response times of the CA). ( #171 )
Section 4.9.1.1 places requirements on when a CA MUST revoke certificates. These obligations are then documented within the CA's CP/CPS, either implicitly through a statement of compliance with the Baseline Requirements or explicitly through enumerating these. However, at various points, CAs have raised concern that their Subscriber Agreement prevents them from adhering to their CP/CPS and the Baseline Requirements, because their Subscriber Agreement does not permit them to revoke as required by Section 4.9.1.1. This updates Section 9.6.3 to instead bind the Subscriber Agreement to the CA's CP, CPS, and the Baseline Requirements, as discussed at #172 .
The existing provisions within Section 9.6.3 regarding specific uses of the certificate are then folded into this requirement, by allowing the CA's CP/CPS to detail the cases they revoke within Section 4.9.1.1, or, optionally, within their Subscriber Agreement of Terms of Use. This ensures consistency with the primary objective, of ensuring that the Subscriber acknowledges that the CA MAY revoke the Certificate at any time, for the reasons specified by the CA.