SC35: Cleanups and Clarifications #208

sleevi · 2020-08-06T16:33:05Z

Overview

This ballot attempts to fix the numerous typographical and editorial issues that have been identified in the SCWG documents ("spring cleanup"), such as incorrect section references, expired effective dates, or spelling and grammatical mistakes. Additionally, it attempts to provide guidance and clarification for language that has been viewed as ambiguous, multiple, or conflicting interpretations.

Changes

EV Guidelines

The "Subject Organization Identifier Extension" is not a defined term, and is corrected to "CA/Browser Forum Organization Identifier Extension" throughout ( EV Guidelines: SC17 cleanups #152 )
The effective dates in Section 8.2.2 have been removed, as the last effective date was 31 May 2018. ( EV Guidelines: Past compliance dates #161 )
Section 9.8.2 misspelled "Forum" as "Form"
The effective date in Section 9.8.2 has been removed, as it was effective 31 January 2020 ( EV Guidelines: Past compliance dates #161 )
Section 11.12.2 is corrected to point to the latest IFAC and BIS lists ( Broken links in "Guidelines for the issuance and management of extended validation certificates" #76 )
Appendix H is corrected to refer to Section 9.8.2, not Section 9.8.1 ( EV Guidelines: SC17 cleanups #152 )
Spelling and punctuation fixes throughout
Improved terminology relating to denied entities list.
Further clarify that the CA/BF OrganizationIdentifier field has the same contents/values ( https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html )

Baseline Requirements

The references to CAA are updated to refer to RFC 8659, which incorporates CABF feedback ( Baseline Requirements: Update CAA from 6844 to 8659 #168 ).
- Note: This removes Appendix A, and renumbers accordingly
3.2.2.4.6's language on sunset/effective date is brought into consistency with our other sections in 3.2.2.4 on sunsets. ( Baseline Requirements: Add explicit date in Section 3.2.2.4.6 #163 )
An incorrect reference to 3.2.5 in Section 3.2.2.5 has been fixed to say Section 3.2.2.5 ( Baseline Requirements: Incorrect reference in 3.2.2.5 #155 )
A typo in Section 7.1.5 is fixed ("compliancy" -> "compliance") ( Baseline Requirements: Typo in Section 7.1.5 #159 )
The handling of Certificate Policy OIDs for Intermediates/Roots is restructured, so that it's clear that their presence in a Subordinate/Root makes them subject to the BRs (and EVGs, if appropriate), but their presence in a Subscriber certificate make them subject to the certificate profile, and in particular, the Subject profile (e.g. DV/OV/IV/EV) ( Baseline Requirements: Clarify the requirements about subCAs with a CABF OID in the CP #179 )
Spelling and punctuation fixes throughout

Revocation Clarifications

The following are an attempt to clarify the logical consequences of the various policies surrounding weak and compromised keys ( #164 )

4.9.1.1's revocation requirements are updated to express their logical consequences.
- Namely, CAs are required to revoke a certificate within 24 hours if a Private Key has suffered a Key Compromise
- Implicitly, if there is a demonstrated or proven method to easily compute the Private Key, then the private key has suffered a Key Compromise
- Therefore, explicitly specify that keys using such methods also require 24 hours revocation

However, keys that may have been generated with a flawed method, or there's a method which exposes a key to compromise (e.g. a signing oracle, Heartbleed), those remain at 5 days.

The distinction between these two sets is whether the public key alone is sufficient to compromise the key; if it is, the CA MUST treat it as compromised. However, if there are other factors (e.g. it requires additional state from an RNG, requires interacting with a service or use of the key), then those are left at 5 days, unless someone has already done so, at which point, it's a Key Compromise.

Section 6.1.1.3 is similar reworked, to make it clearer that if a certificate will be immediately revoked due to one of the Private Key (flawed, weak, compromised), then the CA MUST NOT issue the certificate. A CA that continually issued certificates to weak keys, and then revoked them, effectively bypasses revocation by allowing such keys to be used for between 72 hours and 10 days (depending on the lifetime of the CRL/OCSP and response times of the CA). ( #171 )

Section 4.9.1.1 places requirements on when a CA MUST revoke certificates. These obligations are then documented within the CA's CP/CPS, either implicitly through a statement of compliance with the Baseline Requirements or explicitly through enumerating these. However, at various points, CAs have raised concern that their Subscriber Agreement prevents them from adhering to their CP/CPS and the Baseline Requirements, because their Subscriber Agreement does not permit them to revoke as required by Section 4.9.1.1. This updates Section 9.6.3 to instead bind the Subscriber Agreement to the CA's CP, CPS, and the Baseline Requirements, as discussed at #172 .

The existing provisions within Section 9.6.3 regarding specific uses of the certificate are then folded into this requirement, by allowing the CA's CP/CPS to detail the cases they revoke within Section 4.9.1.1, or, optionally, within their Subscriber Agreement of Terms of Use. This ensures consistency with the primary objective, of ensuring that the Subscriber acknowledges that the CA MAY revoke the Certificate at any time, for the reasons specified by the CA.

Closes cabforum#152

Closes cabforum#155

Closes cabforum#159

Closes cabforum#161

Closes cabforum#163

Closes cabforum#164

Closes cabforum#171

Closes cabforum#168

Closes cabforum#172

Closes cabforum#76

cabforum#127

Close cabforum#184

Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html

Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

* Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.)

* Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>

* Ballot SC28v6: Logging and Log Retention (#222) Add SC28 * SC35: Cleanups and Clarifications (#208) (#223) * Cleanup typos and issues from SC17 Closes #152 * Fix an incorrect reference from 3.2.5 to 3.2.2.5 Closes #155 * Fix typo: compliancy -> compliance Closes #159 * Cleanup old effective date for CP/CPSes Closes #161 * Update effective date for 3.2.2.4.6 Closes #163 * Move weak key lookups into 24-hour revocation Closes #164 * Align Section 6.1.1.3 with 4.9.1.1 Closes #171 * Replace RFC 6844 with RFC 8659 Closes #168 * Clarify that revocation is permitted if required by CP/CPS/BRs Closes #172 * Correct links to US gov't denial lists Closes #76 * Add a definition for CA Key Pair #127 * Clarify CA Key Pair generation (#23) Close #184 * Attempt to clarify policy OIDs (#21) Attempts to resolve #179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates * Fixup formatting issues in the PDF * Fix issues spotted by Corey Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Cleanup EVG terminology * Clarify organizationIdentifier contents As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html * Apply further suggestions from Corey Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> * Spelling, formatting, punctuation improvements (#31) * Where a word was spelling multiple ways (e.g. organization & organisation) consolidate on whichever form is the majority used * MD formatting improvements (e.g. 5 numeral headings updated to have 5 '#' instead of 4) * More consistent punctuation in section headings (e.g. '3.2.2.4.*:' vs '3.2.2.4.*') * More correct - I hope - extension values (e.g. extKeyUsage instead of extendedKeyUsage) * Improved, but identical - I hope - terminology (e.g. key purposes instead of usages where context is id-kp-*) * Various minor spelling corrections (e.g. jursidiction -> jurisdiction, Certifiation -> Certification, etc.) Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com> * Update version numbers and cover pages. * Update effective date to 2020-10-19. * Update version for the cover page Co-authored-by: sleevi <ryan.sleevi@gmail.com> Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com> Co-authored-by: Clint Wilson <clint@wilsonovi.com>

sleevi and others added 19 commits August 24, 2020 21:29

Cleanup typos and issues from SC17

922432a

Closes cabforum#152

Fix an incorrect reference from 3.2.5 to 3.2.2.5

94c955e

Closes cabforum#155

Fix typo: compliancy -> compliance

ba5c81c

Closes cabforum#159

Cleanup old effective date for CP/CPSes

f55e588

Closes cabforum#161

Update effective date for 3.2.2.4.6

d3e0a5f

Closes cabforum#163

Move weak key lookups into 24-hour revocation

c4c1d23

Closes cabforum#164

Align Section 6.1.1.3 with 4.9.1.1

b3ec02b

Closes cabforum#171

Replace RFC 6844 with RFC 8659

48654d9

Closes cabforum#168

Clarify that revocation is permitted if required by CP/CPS/BRs

5319bd4

Closes cabforum#172

Correct links to US gov't denial lists

5df011e

Closes cabforum#76

Add a definition for CA Key Pair

210e557

cabforum#127

Clarify CA Key Pair generation (#23)

ee4ad16

Close cabforum#184

Attempt to clarify policy OIDs (#21)

329c411

Attempts to resolve cabforum#179 by introducing the term "Server Certificate" to distinguish from Subscriber Certificate (which may include Subordinate CAs), and to scope the requirements around identity information to only Server Certificates

Fixup formatting issues in the PDF

3da9b82

Fix issues spotted by Corey

1346b7e

Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

Cleanup EVG terminology

89fc85b

Clarify organizationIdentifier contents

28bd66f

As requested by Mads from Buypass in https://archive.cabforum.org/pipermail/servercert-wg/2020-August/002148.html

Apply further suggestions from Corey

4223534

Correct Subscriber -> Applicant in additional places Co-authored-by: Corey Bonnell <corey.j.bonnell@outlook.com>

sleevi changed the title ~~(Draft Ballot): Cleanups and Clarifications (without SC30 and SC31 version)~~ (Draft Ballot): Cleanups and Clarifications Aug 25, 2020

sleevi force-pushed the 2020-04-01-Cleanups branch from 9cb110f to 884eef6 Compare August 25, 2020 01:44

sleevi changed the title ~~(Draft Ballot): Cleanups and Clarifications~~ SC35: Cleanups and Clarifications Aug 25, 2020

dzacharo changed the base branch from main to SC35 September 14, 2020 07:06

dzacharo merged commit 159974e into cabforum:SC35 Sep 14, 2020

sleevi deleted the 2020-04-01-Cleanups branch November 4, 2020 23:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SC35: Cleanups and Clarifications #208

SC35: Cleanups and Clarifications #208

sleevi commented Aug 6, 2020 •

edited

SC35: Cleanups and Clarifications #208

SC35: Cleanups and Clarifications #208

Conversation

sleevi commented Aug 6, 2020 • edited

Overview

Changes

EV Guidelines

Baseline Requirements

Revocation Clarifications

sleevi commented Aug 6, 2020 •

edited