SC-103: Require EKUs for Cross-Certified Subordinate CAs#668
Draft
aarongable wants to merge 1 commit into
Draft
Conversation
aarongable
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
--- Ballot Background ---
The CCADB Policy v2.1 requires that the Extended Key Usage extension exist and have specific values in "cross-certificates [whose] Subject CA’s public key [...] might exist in a publicly-trusted self-signed Root CA certificate whose hierarchy should be considered dedicated to a specific PKI use case".
Simultaneously, several Root Program Policies require that all CA certificates be dedicated as such. For example, the Chrome Policy v1.8 requires that all Subordinate CA Certificates must include the EKU extension and assert only id-kp-serverAuth. Similarly, the Mozilla Policy v3.0 requires that all Subordinate CA Certificates assert either id-kp-serverAuth or both that and id-kp-clientAuth.
This ballot is an attempt to harmonize the Baseline Requirements with those existing root program requirements.
--- Ballot Summary ---
In the Cross-Certified Subordinate CA Certificate Profile, indicate that the Extended Key Usage extension is required in all circumstances. Remove the language distinguishing between "unrestricted" and "restricted" cases. In the table, direct readers to the subsection detailing restricted EKUs.
Remove the contents of the old "unrestricted" subsection, marking it as deprecated.
Rewrite the "restricted" subsection to clearly indicate exactly what combinations of EKU OIDs are acceptable. This is significantly stricter than the current version of the BRs, as the current language allows many combinations of EKU OIDs, as long as the certificate does not also assert id-kp-serverAuth. But it mirrors the restrictions in existing root program policy, and is much simpler to read and understand.
This ballot does not currently have an effective date, as generation of Cross-Certified Subordinate CA Certificates is a comparatively rare event, and this change is only intended to harmonize the BRs with existing root program policy. However, an effective date in the future could be added if others deem it necessary.
This ballot is endorsed by Chris Clements (Google / Chrome) and Ben Wilson (Mozilla).