Add profile for Cross-Certified Subordinate CA Certificates#344
Conversation
Co-authored-by: Preston Locke <me@prestonlocke.net>
| | Key Usage | keyCertSign, cRLSign (critical) | | ||
|
|
||
| ### Subordinate CA Certificate | ||
| ### Cross-Certified Subordinate CA Certificate Profile |
There was a problem hiding this comment.
This section doesn't specify AKID or SKID, which are MUST in the BRs: https://cabforum.org/working-groups/server/baseline-requirements/requirements/#71223-cross-certified-subordinate-ca-extensions. Am I correct in assuming we omit them because they're adequately specified in the BRs? The BRs also specify version and signature, which we omit in all our CP-CPS profiles. But on the other hand, our specification of Serial Number is just a partial restatement of what's in the BRs.
There was a problem hiding this comment.
Absolutely agreed that the set of things we choose to talk about here is not logical. But I don't want to upend that in this PR; we'll save that for the much bigger CP/CPS changes that happen as part of our remediation items and in preparation for compliance with updated Apple and Mozilla policies regarding CPS content.
jsha
left a comment
jsha
left a comment
There was a problem hiding this comment.
This looks good to me. I had a comment about the exact set of fields / extensions we want to include, in terms of whether we are restating each one from the BRs, or only the ones we wish to constrain. But I think this PR is in line with our current practice and is okay to merge.
4 participants
This CP/CPS previously only had a profile for Subordinate CA Certificates. The values listed in that profile were appropriate for issuing intermediates, but not appropriate for cross-signed roots. Add a profile specifically for "Cross-Certified Subordinate CA Certificates" (as Section 7.1.2.2 of the Baseline Requirements calls them) with values showing which fields are identical to the pre-existing certificate.