Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

certificate policy updates (rev4) #567

Merged
merged 25 commits into from
Feb 22, 2019
Merged

certificate policy updates (rev4) #567

merged 25 commits into from
Feb 22, 2019

Conversation

lachellel
Copy link
Contributor

Updates for:

  • removing CRL requirements to match the development
  • CAB forum ballots

closes #562 closes #560 closes #559 closes #556 closes #555 closes #553 closes #552

lachellel and others added 24 commits December 14, 2018 15:11
Updated to address Issue #561.
The only two methods supported by the USPKI TLS is method 6 and 7. Fixes #559
Disallow underscore in dnsName entries.
Fixes #552 
- Section 4.9.1.1 | Added a revocation reason for subscriber certificates due to demonstration of subscriber private key compromise.
- Section 4.9.3 | Require clear instructions be provided in CPS Section 1.5.2.
- Section 4.9.5 | Update for new 24 hour reporting timeline and remove activity requirements based on CRL issuance time.
- Appendix A | Definition of Key compromise matches.
Integrate changes from SC06
Integrate changes from SC12
Integrate changes from SC13
modified 4.9.1.1
updated 4.9.5
Integrate changes from SC06, SC12, SC13, and SC14
certificate-policy.md Outdated Show resolved Hide resolved
to satisfy the grammar police
@@ -19,7 +19,7 @@
| keyUsage | Mandatory | True | Bit positions for keyCertSign and cRLSign shall be set. <br> If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set. |
| extkeyUsage | Mandatory | False | This extension is required for Technically constrained nameConstraints per Section 7.1.2.2 and Section 7.1.5. <br> Required Extended Key Usage: <br> Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1} <br><br> Optional Extended Key Usage: <br> Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2} <br>id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9} <br> Other values may be present consistent with use for server authentication, with approval by the FPKIPA. |
| certificatePolicies | Mandatory | False | See Section 7.1.6.3. At least one US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA. |
| subjectAltName | Optional | False | |
| subjectAltName | Optional | False | Underscore characters (“_”) shall not be present in dNSName entries. |
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@debcooley
I checked our issues and notes from the certificate profile working sessions, hundreds of comments submitted for the review, and a few dozen CA certs. Unfortunately, I cannot figure out why we made the decision for SAN in the subordinate CA cert to be optional versus "not present". This might have been a typo from me, when cleaning up the cert profiles and addressing the submitted comments.

Can you think of any reason why we'd have a SAN in the Subordinate CA cert?

@lachellel
Copy link
Contributor Author

merging policy updates

@lachellel lachellel merged commit 337954d into master Feb 22, 2019
@lachellel lachellel deleted the draftRev4 branch February 22, 2019 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment