Slightly off topic
Mark Gamache
Adriano Santoni
IMO, this is an interesting topic, worthy of discussion (maybe not here), and far from trivial.
Referring to the specific issue that Mark mentions, the ability to obtain a client auth cert for "nearly any org" is obviously tied to the vetting practices adopted (and not necessarily published, as there is no obligation to do so for these types of certificates) by the CA involved. And since there are no guidelines, let alone binding requirements, for generic client auth certs, it's clear that today any CA can legitimately do as they see fit, and therefore... "caveat emptor". Undoubtedly there is a related threat, but this is also the "fault" of the server that accepts such certificates.
In principle, I believe something like "baseline requirements" for TLS client auth certs are conceivable, although browsers aren't interested in this issue. But is it possible to find consensus and the resources needed to develop them? And besides, who and how could enforce compliance with such BRs, if they existed?
Adriano
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org .
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/MW5PR16MB484698231365B76EACABB762D17CA%40MW5PR16MB4846.namprd16.prod.outlook.com .
Dimitris Zacharopoulos (HARICA)
I agree that this is an interesting topic but one that should probably be discussed at the Forum-level (pub...@cabforum.org). Any discussion to create a new Working Group should take place at the plenary level :-)
Best regards,
Dimitris.
-- Dimitris Zacharopoulos CA/B Forum SCWG Chair
Dimitris Zacharopoulos (HARICA)
IMO, this is an interesting topic, worthy of discussion (maybe not here), and far from trivial.
Referring to the specific issue that Mark mentions, the ability to obtain a client auth cert for "nearly any org" is obviously tied to the vetting practices adopted (and not necessarily published, as there is no obligation to do so for these types of certificates) by the CA involved. And since there are no guidelines, let alone binding requirements, for generic client auth certs, it's clear that today any CA can legitimately do as they see fit, and therefore... "caveat emptor". Undoubtedly there is a related threat, but this is also the "fault" of the server that accepts such certificates.
In principle, I believe something like "baseline requirements" for TLS client auth certs are conceivable, although browsers aren't interested in this issue. But is it possible to find consensus and the resources needed to develop them? And besides, who and how could enforce compliance with such BRs, if they existed?
Thanks,
Dimitris.
Adriano
Il 04/03/2026 20:24, Mark Gamache ha scritto:
--
All,
Sorry that this question is not about Server certs, but there is no Client auth WG nor a list that I can find like a general WG.
What would it take to get a client auth WG with rules about names going into such certs?
I recently verified from a few CABF scoped CAs and their vendors, that due to lack of rules on client auth cert naming, I can get certs in the names of nearly any org. When looking at the client auth threat model, I am not sure the industry is on the same page about this. I suspect some think there is some governance. I don't love mTLS/client auth, but it seems like it is here to stay.
If we are going to do client auth, we should all be understanding the threat model. FWIW, I have been working with OWASP a bit on the topic and it is clear that as an industry, we all need to get aligned.
Thanks,
Mark Gamache--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org .
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/MW5PR16MB484698231365B76EACABB762D17CA%40MW5PR16MB4846.namprd16.prod.outlook.com .
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/7b98ba05-bfd1-4431-bfc9-ec6bbdd896f1%40staff.aruba.it.
Martijn Katerbarg
Date: Thursday, 5 March 2026 at 13:56
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: Re: [External Sender] [Servercert-wg] Slightly off topic
Dimitris Zacharopoulos
I indicated the list where this topic (formation of a new WG) can be discussed (pub...@cabforum.org).
Please read the CABF Bylaws that describe the process for creating a new Chartered Working Group.
Great initiative btw.
Thanks,
Dimitris.
Mar 4, 2026 21:24:21 Mark Gamache <ma...@markgamache.com>:
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
Dimitris Zacharopoulos
Apple and Microsoft, do so. I don't believe that's part of SMIME. I assume a CA could request a client authentication only Root hierarchy to be included. I'm sure representatives of both Root Programs can correct me if I misinterpreted their Root Store Policies 🙂
DZ.
Mar 5, 2026 15:32:25 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:
Martijn Katerbarg
Corey Bonnell
Hi Martijn,
What section of MRSP states this restriction?
Thanks,
Corey
Dimitris Zacharopoulos
That's what is actually being audited (CP/CPS) since there are no BRs just for clientAuth.
DZ.
Mar 5, 2026 16:29:34 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:
Martijn Katerbarg
Date: Thursday, 5 March 2026 at 15:59
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: RE: [External Sender] [Servercert-wg] Slightly off topic
Corey Bonnell
I agree that a strict interpretation of that section would require one of the listed CABF OIDs in client authentication certificates. But that same strict interpretation would also prohibit the issuance of timestamping authority certificates, because the CSBR timestamping OID is not listed in the table.
Given this, the strict interpretation is not the most reasonable interpretation of this section.
Dustin Hollenback
Mark Gamache
Sent: Thursday, March 5, 2026 1:43 PM
Ben Wilson
From a Mozilla Root Store Policy perspective, I am not aware of an explicit prohibition on issuing certificates that contain only the id-kp-clientAuth EKU under a root that is trusted in NSS. The MRSP does not appear to include language that expressly forbids client-auth-only issuance.
At the same time, Mozilla’s stated position is that we curate our root store solely for the purposes of TLS server authentication and S/MIME. See Kathleen Wilson’s 2021 blog post for additional context:
https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/
However, as with other aspects of our program, Mozilla’s policies and positions may evolve over time based on ecosystem developments and other considerations.
If others believe there is specific policy text that would suggest otherwise, please feel free to point it out, and I will stand corrected.
Thanks,
BenTo view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/CA6D160C-9DFB-4DF2-A3E7-68DB818F73DC%40apple.com.
Ben Wilson
Dimitris Zacharopoulos
MRSP usually stands for Mozilla Root Store Policy because Microsoft calls it Trusted Root Program 🙂
DZ.
Mar 5, 2026 18:31:46 'Martijn Katerbarg' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>:
