On Fri, October 19, 2012 3:58 pm, Eddy Nigg wrote:
> On 10/19/2012 10:44 PM, From Kathleen Wilson:
> > "A certificate is deemed as technically capable of issuing
> > certificates if it does not contain a basicConstraints extension, or
> > contains an X.509v3 basicConstraints extension with the isCA boolean
> > set to true."
>
> I wonder if NSS should accept a certificate without any basic
> constraints these days. Doesn't the BR require those?
For intermediates and roots, yes. For end-entity certs no.
However, according to Appendix B, the profile of certificate extensions
only specifies the requirements for Certificates generated after the
Effective Date.
The intent of deeming them capable of issuance here is to close the
ambiguity of X.509 v1/v2 (note, this is somewhat independent of what RFC
5280 says, which also leaves it ambiguous)
>
> > I don't know. The goal is that the certs be provided "in some sort of
> > standardized format, so that it is not an insurmountable task for
> > interested parties to regularly retrieve and analyze all public
> > disclosures."
>
> In case of a public repository such as a directory listing or even a web
> page with links to the certificates, tools like wget should be able to
> fetch them all if necessary. Would that suffice? Of course an archive
> will work too, but I would prefer to have more than one option.
>
> >
> > So then the sentence:
> > "If there are no such dNSNames (e.g. because the certificate is for
> > issuing IP-address-based certificates), then the certificate MUST
> > contain a dNSNames constraint that prohibits all DNS names."
> >
> > Should be changed to what?
>
> Maybe "If there are no such dNSNames (e.g. because the certificate is
> for issuing IP-address-based certificates), then the certificate MUST
> NOT contain any dNSNames.
>
> But it seems to me not entirely clear what is to be achieved here. IP
> addresses and host names can coexist in the SAN extensions. When there
> are no host names defined (and only IP addresses) than no dnsNames will
> appear in the SAN...
I believe the concern is that, as currently written, the language enforces
a restriction that prevents the *possibility* of misissuance under a
relevant name type.
Without the presence of the "Not good for any names", it's left to
application logic to make some determination as to whether the given name
type should be considered trustworthy, given the chain presented.
Consider an intermediate certificate issued to an enterprise CA that
specifies an iPAddress permittedSubtrees constraint that restricts it to
the organization's authorized (as assigned by the RIR like
ARIN/RIPE/APNIC/etc) IP space.
This client is "clearly" only authorized to issue certificates for
iPAddress SANs. These match the "technical constraints" section, so this
CA does not need to be disclosed. Now imagine this CA issues a certificate
with a dNSName of "
www.google.com"
Under RFC5280 validation, such a certificate chain is valid (at least as
far as I read and interpret). 4.2.1.10. only requires that *constrained*
name types be rejected. This is highlighted in Section 8 (Security
Considerations), which states
In general, using the nameConstraints extension to constrain one name
form (e.g., DNS names) offers no protection against use of other name
forms (e.g., electronic mail addresses).
The current language closes this, by forcing the (NSS
supported/recognized) name types to be constrained, if the issuing CA does
not intend/authorized the subordinate to issue names of that type.
Under the BR (Section 9.2.1), the only subjectAltName name types that are
permitted are iPAddress and dNSName, so that's why the technical
constraints language requires both be present, and either explicitly say
"no names" or limit the names to the CA-validated namespaces.
>
> >
> >> I think NSS should ignore any content in the common name entirely (host
> >> names are not authoritative in the common name field).
> >>
> >
> > So then we don't need to worry about this in the policy, just need to
> > make sure NSS moves to this behavior.
>
> Yes - client software that don't support the SAN extension have become
> obsolete. I'm not ware of any common browser that doesn't supports it,
> hence the common name field which was necessary in the 90's should be
> ignored.
You're conflating two different issues. While "most" client software
supports sANs now (ignoring the vast majority of server-side processing
code that fails to support SANs or improperly supports wildcards), the
issue is the number of certificates issued without any sANs.
Unless and until every one of those "otherwise valid" certificates are
expired or revoked, the latter of which is not at all required under the
BR, then user agents must still be concerned with supporting them **when
no sAN is present**.
So no CA, issuing under the BR, should/will ever issue a leaf without a
sAN, so the discussion of nameConstraints is somewhat irrelevant. The only
place it applies is if, when CAs are adopting their infrastructure to
conform to the proposed requirements, and re-issuing enterprise
intermediate CAs to be technically constrained, that any **existing**
end-entity certs under those nodes remain as technically constrained as
any **new** certs (which will always have sANs)
This is the whole discussion of "legacy", which is on a different
timetable for CA issuance than it is for client support.