-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certificate policy updates (rev4) #567
Conversation
Updated to address Issue #561.
The only two methods supported by the USPKI TLS is method 6 and 7. Fixes #559
Disallow underscore in dnsName entries.
Fixes #552 - Section 4.9.1.1 | Added a revocation reason for subscriber certificates due to demonstration of subscriber private key compromise. - Section 4.9.3 | Require clear instructions be provided in CPS Section 1.5.2. - Section 4.9.5 | Update for new 24 hour reporting timeline and remove activity requirements based on CRL issuance time. - Appendix A | Definition of Key compromise matches.
Integrate changes from SC06
Integrate changes from SC12
Integrate changes from SC13
modified 4.9.1.1 updated 4.9.5
Integrate changes from SC06, SC12, SC13, and SC14
to satisfy the grammar police
@@ -19,7 +19,7 @@ | |||
| keyUsage | Mandatory | True | Bit positions for keyCertSign and cRLSign shall be set. <br> If the Subordinate CA Private Key is used for signing OCSP responses, then the digitalSignature bit shall also be set. | | |||
| extkeyUsage | Mandatory | False | This extension is required for Technically constrained nameConstraints per Section 7.1.2.2 and Section 7.1.5. <br> Required Extended Key Usage: <br> Server Authentication id-kp-serverAuth {1.3.6.1.5.5.7.3.1} <br><br> Optional Extended Key Usage: <br> Client Authentication id-kp-clientAuth {1.3.6.1.5.5.7.3.2} <br>id-kp-OCSPSigning {1.3.6.1.5.5.7.3.9} <br> Other values may be present consistent with use for server authentication, with approval by the FPKIPA. | | |||
| certificatePolicies | Mandatory | False | See Section 7.1.6.3. At least one US Government certificate policy OID listed in Section 7.1.6.1 asserting compliance with this CP, and one CAB Forum certificate policy OID listed in Section 7.1.6.1 asserting compliance with the CAB Forum Baseline Requirements. The certificate shall include all the certificate policy OIDs for all certificates issued by the CA. | | |||
| subjectAltName | Optional | False | | | |||
| subjectAltName | Optional | False | Underscore characters (“_”) shall not be present in dNSName entries. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@debcooley
I checked our issues and notes from the certificate profile working sessions, hundreds of comments submitted for the review, and a few dozen CA certs. Unfortunately, I cannot figure out why we made the decision for SAN in the subordinate CA cert to be optional versus "not present". This might have been a typo from me, when cleaning up the cert profiles and addressing the submitted comments.
Can you think of any reason why we'd have a SAN in the Subordinate CA cert?
merging policy updates |
Updates for:
closes #562 closes #560 closes #559 closes #556 closes #555 closes #553 closes #552