Re: [pkix] Amendment to CABF Baseline Requirements

Peter Bowen <pzbowen@gmail.com> Thu, 06 April 2017 20:39 UTC

Return-Path: <pzbowen@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B17128954 for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 13:39:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8CLNBboCE0w for <pkix@ietfa.amsl.com>; Thu, 6 Apr 2017 13:39:20 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4054127097 for <pkix@ietf.org>; Thu, 6 Apr 2017 13:39:19 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id f193so65312646oib.2 for <pkix@ietf.org>; Thu, 06 Apr 2017 13:39:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Wep4YthLcVBgzbJlDfPIeuYjstLcA8O4OBbXgC3fYjk=; b=rRVrRQNNTSk0pRJSJwej5Ng14hiCWAmnLBS40Tzi5jmQKVy3SV6GghiGixw+CNYiVm QlCwI95ejRKZGOLaodEvVHx1JX8lnf+Ts5Ap5Gr/qsaR4rkqG7J8Fa/fKU0l0TsEKQw2 gv2rsdP9mT2Nw9QV56lWyjoO9Nilnc3w7cpptyOl0yptNd8iWBYzXl3/NPg0eBs7JZUH Dyfx72WmveHeKFAwd0iqZ2pN+D7KJlc9GZ2ucq9j51xAO0CoHqGHYof490+F5QX3HsIO KvKsdKaOZ7kn5USjuiHKWmaz92Qzg8w9OGFpQ+VRKjzc/ZZa+F/sr7+9sGhpZGtCBGiY JrEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Wep4YthLcVBgzbJlDfPIeuYjstLcA8O4OBbXgC3fYjk=; b=oWphOlh9zhXvKbhSm4e2LSwC6RaoEcvlr7fZk5O6pwfaJwMOBKCAcxF1dTQkgSHv7v nMYPwul/2hlbxX59uf0TwK221ttgnusIYNsxM6otwN42ux5OOM0sWuXS9sSDNxkRVdFg 0EPGCU5K6TfII6ydaiw/bOWSa8YMBb1S5orSaRwkBZtPgkeWmew0RM5on4aCnVBy+yyP 9+ICpXGrQUIP6miWPKlfFTkjAm4n6kP+V8LzXDRiTOP+wE7M0DRg1YkalT7Lp2tcAwOs DR+q3S9UuzWDa/EDdlVtBD82y+Kdi1YGtwTT1jHxZDB6TvcWfc9bG5UeUTL52M0MFmae AobQ==
X-Gm-Message-State: AFeK/H1Ld4Wzyu95Ima162d7mtiHJoa2rj+SnGCFGERVTuKh6VIUBbSxA14HCdCSOALQAGshtXRiwJ2vNLQjrA==
X-Received: by 10.157.52.116 with SMTP id v107mr12400187otb.38.1491511159179; Thu, 06 Apr 2017 13:39:19 -0700 (PDT)
MIME-Version: 1.0
References: <906f1c1dde4f44789646197d887da312@EX2.corp.digicert.com> <a24a24b9-542c-a619-3445-47e812f9c46b@nthpermutation.com> <27e9bc684735472bbd6d7f82b5e2823b@EX2.corp.digicert.com> <662C0D5C-EF34-4BD1-B3BC-B7B9A84B4990@vigilsec.com>
In-Reply-To: <662C0D5C-EF34-4BD1-B3BC-B7B9A84B4990@vigilsec.com>
From: Peter Bowen <pzbowen@gmail.com>
Date: Thu, 06 Apr 2017 20:39:08 +0000
Message-ID: <CAK6vND9-oxL_acNk21D36UeXHqUM0Rz57cpB_zpCJaTJMPeZ2g@mail.gmail.com>
To: Ben Wilson <ben.wilson@digicert.com>, Russ Housley <housley@vigilsec.com>
Cc: IETF PKIX <pkix@ietf.org>
Content-Type: multipart/alternative; boundary=001a1141563cd24f9d054c85809e
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/igWz36OccWv2NIjuRNkE1aBaW2c>
Subject: Re: [pkix] Amendment to CABF Baseline Requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2017 20:39:23 -0000

On Thu, Apr 6, 2017 at 12:24 PM Russ Housley <housley@vigilsec.com> wrote:

> The comment in the UpperBounds ASN.1 module (the 8th edition) says:
>
> -- EXPORTS All
> -- The types and values defined in this module are exported for use in the
> other ASN.1
> -- modules contained within these Directory Specifications, and for the
> use of other
> -- applications which will use them to access Directory services. Other
> applications
> -- may use them for their own purposes, but this will not constrain
> extensions and
> -- modifications needed to maintain or improve the Directory service.
>
> X.509 is part of the Directory Specifications, so they are not advisory.
>
> It looks like ITU-T increased the length of the organizational unit name
> in the most recent edition.
>
> RFC 5280 says:
>
> ub-organization-name-length INTEGER ::= 64
> ub-organizational-unit-name-length INTEGER ::= 32
>
> The UpperBounds ASN.1 module (the 8th edition) says:
>
> ub-organization-name                       INTEGER ::= 64
> ub-organizational-unit-name                INTEGER ::= 64
>
> So, we may already be in a place where implementations conforming to X.509
> will produce a certificate that cannot be decoded by an implementation that
> conforms to RFC 5280.
>
> I wish we gad gotten a heads-up …


It is even worse. 7th and 8th (and maybe prior releases) removed the usage
of ub- from the schema. The schema itself no longer bounds DirectoryStrings
and X.509 explicitly says they are unbounded.



>
> Russ
>
>
>
> > On Apr 6, 2017, at 2:55 PM, Ben Wilson <ben.wilson@digicert.com> wrote:
> >
> > Thanks, Michael.    Is it relevant that Annex C to X.520 (2012) states,
> > "(This annex does not form an integral part of this Recommendation |
> > International Standard.)" whereas before (1988) it stated,  "This Annex
> is
> > part of the Recommendation."?
> >
> > From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Michael StJohns
> > Sent: Thursday, April 6, 2017 10:55 AM
> > To: pkix@ietf.org
> > Subject: Re: [pkix] Amendment to CABF Baseline Requirements
> >
> > Hi Ben -
> >
> > IETF 5280 et al are profiles of the X.509 documents.  The upper length
> > bounds for orgnaizationName and commonName fields in 5280 is no different
> > than the upper bounds specified in X.509 (at least as of the 2014
> > document).  I would suggest that you will pretty much break any and all
> > implementations of X.509 clients that rely or enforce this limit as well
> as
> > any code that generates certificate requests.
> >
> > I will note that overloading text fields with structured data is
> generally
> > not a good idea - as you've found.
> >
> > Mike
> >
> >
> >
> > On 4/6/2017 12:24 PM, Ben Wilson wrote:
> > Does anyone want to comment on my draft amendment to the CA/Browser
> Forum’s
> > Baseline Requirements for SSL/TLS Certificates which would remove the
> > 64-character limit on the commonName and organizationName,  as an
> exception
> > to RFC 5280?  The text of the relevant Baseline Requirement provision is
> > found below with the proposed additional language in ALL CAPS.  The
> reason
> > for the first change (commonName) is there are FQDNs (in Subject
> Alternative
> > Names) that are longer than 64 characters.  The reason for the second
> change
> > (organizationName) is that there are organizations with names longer
> than 64
> > characters.
> >
> > 7.1.4.2.2.             Subject Distinguished Name Fields
> > a.            Certificate Field: subject:commonName (OID 2.5.4.3)
> > Required/Optional: Deprecated (Discouraged, but not prohibited)
> > Contents: If present, this field MUST contain a single IP address or
> > Fully-Qualified Domain Name that is one of the values contained in the
> > Certificate’s subjectAltName extension (see Section 7.1.4.2.1).
> > MAXIMUM LENGTH:  NO STIPULATION.  (THIS IS AN EXCEPTION TO RFC 5280 WHICH
> > SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
> > b.            Certificate Field: subject:organizationName (OID 2.5.4.10)
> > Optional.
> > Contents: If present, the subject:organizationName field MUST contain
> either
> > the Subject’s name or DBA as verified under Section 3.2.2.2. The CA may
> > include information in this field that differs slightly from the verified
> > name, such as common variations or abbreviations, provided that the CA
> > documents the difference and any abbreviations used are locally accepted
> > abbreviations; e.g., if the official record shows “Company Name
> > Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”.
> > Because Subject name attributes for individuals (e.g. givenName
> (2.5.4.42)
> > and surname (2.5.4.4)) are not broadly supported by application software,
> > the CA MAY use the subject:organizationName field to convey a natural
> person
> > Subject’s name or DBA.
> > MAXIMUM LENGTH:  256 CHARACTERS (THIS IS AN EXCEPTION TO RFC 5280 WHICH
> > SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
> >
> > Thanks,
> > Ben Wilson
> >
> >
> >
> > _______________________________________________
> > pkix mailing list
> > mailto:pkix@ietf.org
> > https://www.ietf.org/mailman/listinfo/pkix
> >
> > _______________________________________________
> > pkix mailing list
> > pkix@ietf.org
> > https://www.ietf.org/mailman/listinfo/pkix
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>