IntroductionĀ
During the course of bug 1815355, the community had the opportunity to analyze a CA audit scope issue that involved a cross-certified Root CA. Asseco Data Systems and SSL.com prepared this write-up to share their experience with the larger community, hoping to improve the knowledge of CA audit scopes and help other CAs avoid similar situations.Ā
The parameters of this use case are as follows:Ā Ā
The problemĀ
Each CA should have considered the alternative trust paths and adjust the audit scope accordingly. Even if Root CA1 and its Issuing CAs were not intended to be used to issue EV TLS Certificates and Root CA1 was included to Root Stores without āEV treatmentā, the fact that there was an alternative path (through Root CA2) made Root CA 1 and its Issuing CAs technically capable of issuing EV TLS Certificates. Based on the policies of root store programs, an audit showing conformance with the EV policy is required for any technically capable CA (for example, see Mozillaās RSP).Ā
The solutionĀ
An important lesson learned from this use case is that when a CA considers the audit scope for each CA Certificate, it must consider ALL possible certification paths that can assert (per RFC 5280) an EV-enabling policy OID, chaining to an EV-enabled Root and if there is even one such path, the affected CAs need to be added to the EV audit scope regardless of other certification paths or whether this technical capability is being used to issue EV Certificates or not.Ā
In our example, a mitigation that could have prevented the technical capability of Root CA1 issuing EV Certificates would be to include specific policy OIDs in the certificatePolicies extension of the Cross-Certificate, none of which would enable āEV treatmentā to issued certificates chaining to that Cross-Certificate. RFC 5280 conforming implementations need to build a valid policy tree according to the Basic Path Validation algorithm described in section 6.1 and process them as described in section 6.1.3 of RFC 5280. The lack of an EV-enabling policy OID in the Cross-Certificate should block the assertion of an EV-enabling policy OID in an end-entity certificate chaining to that Cross-Certificate. We were able to confirm that at least Firefox and Chromium properly validate the policy tree.Ā
Tools to useĀ
In addition to the above guidance, we would like to suggest some tools that present graphs of possible available certification paths to a given CA Certificate (once again, we would like to thank Sectigo for developing and making these tools publicly available):Ā
Note how SSL.com is EV SSL enabled if the Certum EV policy OID is used.Ā
EpilogueĀ
This write-up explains a gap which may arise due to the complexity of the cross-certification and the audit scope which affects two different CAs/organizations, especially considering the evolution of root store policies and expectations. It also attempts to provide guidance and useful tools for other CAs to avoid such pitfalls. We hope this information is useful to the community.Ā
Ā
Sincerely,Ā
Asseco Data Systems and SSL.comĀ