Possible conflict between Microsoft Root Certification Technical Requirement V 2.0 and CABF Baseline Requirement about extendedkeyusage



Similar documents
CA-DAY Michael Kranawetter, Chief Security Advisor (Tom Albertson, Security Program Manager) Microsoft

Microsoft Trusted Root Certificate: Program Requirements

Independent Accountants Report

Independent Accountants Report

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

epki Root Certification Authority Certification Practice Statement Version 1.2

Frost & Sullivan. Publisher Sample

ETSI SR V1.1.2 ( )

thawte Certification Practice Statement

Bugzilla ID: Bugzilla Summary:

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Managing CA-Signed Certificates

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Publicly trusted certification authorities (CAs) confirm signers identities and bind their public key to a code signing certificate.

ETSI TC ESI PRESENTATION TO CAB FORUM. ETSI All rights reserved

Public Certification Authority Certification Practice Statement of Chunghwa Telecom (PublicCA CPS) Version 1.5

Actalis Object Identifiers (OIDs)

Gain a New Level of Trust with Extended Validation SSL Certificates

CERTIFICATION PRACTICE STATEMENT UPDATE

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation Code Signing

ETSI TR V1.1.1 ( )

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

IBM Security QRadar Version (MR1) Replacing the SSL Certificate Technical Note

CA Self-Governance: CA / Browser Forum Guidelines and Other Industry Developments. Ben Wilson, Chair, CA / Browser Forum

Certification Practice Statement of CERTUM s Certification Services

TeleTrusT European Bridge CA Status and Outlook

GlobalSign Digital IDs for Adobe AIR Code Signing

Internal Server Names and IP Address Requirements for SSL:

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Best prac*ces in Cer*fying and Signing PDFs

Extended SSL Certificates

ENTRUST CERTIFICATE SERVICES

Ciphermail Gateway EJBCA integration guide

CODE SIGNING. Why Developers Need to Digitally Sign Code and Applications entrust.com

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Microsoft Project Professional

PKI Services: The Best Kept Secret in z/os

Faking Extended Validation SSL Certificates in Internet Explorer 7

Tivoli Endpoint Manager for Security and Compliance Analytics

SolarWinds Technical Reference

Designing IT Platform Collaborative Applications with Microsoft SharePoint 2003 Workshop

Programme of Requirements part 3h: Certificate Policy Server certificates Private Services Domain (G3)

Tivoli Endpoint Manager for Security and Compliance Analytics. Setup Guide

ETSI TS V2.4.1 ( )

TIBCO Spotfire Platform IT Brief

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

Statoil Policy Disclosure Statement

Enable SSL in Go2Group SOAP Server

Extended Validation SSL Certificates

Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

TREND MICRO SSL CERTIFICATION PRACTICE STATEMENT. Version 2.0

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] CA/BROWSER FORUM

StartCom Certification Authority

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Comodo Extended Validation (EV) Certification Practice Statement

Basics of SSL Certification

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

CERTIFICATE POLICY (CP) (For SSL, EV SSL, OSC and similar electronic certificates)

Overview of Extended Validation (EV) SSL

Analysis of the Global SSL Certificate Market. The Growing Need for Value-added Solutions

Comodo Certification Practice Statement

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

Digital Signatures in a PDF

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

WiMAX Public Key Infrastructure (PKI) Users Overview

Exchange Reporter Plus SSL Configuration Guide

50412: Implementing Active Directory Federation Services 2.0

Trustwave Holdings, Inc

Version Highlights. CertainT 100 SSL Accelerator. Version International. New hardware and software version. North America

How to Prepare Your Salesforce Service for Certificate Changes

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

DEPLOYMENT ROADMAP March 2015

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

Introducing Director 11

Swiss Government Root CA II. Document OID:

An Oracle White Paper September Directory Services Integration with Database Enterprise User Security

SSL Certificates and Bomgar

Deploying and Managing a Public Key Infrastructure

Installation instructions for the supplier VPN solution

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Wildcard and SAN: Understanding Multi-Use SSL Certificates

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

Analysis of the Global SSL Certificate Market

Title: How to set up SSL between CA SiteMinder Web Access Manager - SiteMinder Policy Server and Active Directory (AD)

Information. Questions will be answered at the end. Please submit questions to Erick Mendoza using the chat function.

Document Classification: Public Document Name: SAPO Trust Centre - Generating a SSL CSR for IIS with SAN Document Reference:

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Certificates

Transcription:

Possible conflict between Microsoft Root Certification Technical Requirement V 2.0 and CABF Baseline Requirement about extendedkeyusage Chunghwa Telecom Co., Ltd. Li-Chun CHEN, Engineer, CISSP, CISM, CISA, PMP realsky@cht.com.tw CA/Browser Forum Meeting 33 September, 16, 2014 1

RFC 5280 about Extend Key Usage 4.2.1.12. Extended Key Usage This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates. This extension is defined as follows: id-ce-extkeyusage OBJECT IDENTIFIER ::= { id-ce 37 } ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER 2

CABF BR about Extended Key Usage CABF try the best to conform the BR to RFC 5280 In Appendix B Certificate Extensions (a) Root CA Certificate D. extendedkeyusage This extension MUST NOT be present. (b) Subordinate CA Certificate G. extkeyusage (optional) Only Technically Constrained Subordinate CA Certificate MUST include an Extended Key Usage (EKU) extension. ** Generally Extended Key Usage will only appear within end entity certificates (as highlighted in RFC 5280 (4.2.1.12)), however, Subordinate CAs MAY include the extension to further protect relying parties until the use of the extension is consistent between Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide. (c) Subscriber Certificate F. extkeyusage (required) id-kp-serverauth or id-kp-clientauth or both values MUST be present id-kp-emailprotection MAY be present 3

CABF BR about Technically Constrained Subordinate CA Certificate Technically Constrained Subordinate CA Certificate: A Subordinate CA certificate which uses a combination of Extended Key Usage settings and Name Constraint settings to limit the scope within which the Subordinate CA In section 9.7 of CABF BR For Technically Constrained Subordinate CA Certificate the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the Subordinate CA Certificate is authorized to issue certificates for. if the Subordinate CA Certificate includes the id-kpserverauth extended key usage, then the Subordinate CA Certificate MUST include the Name Constraints X.509v3 extension with constraints on dnsname, ipaddress and DirectoryName 4

Microsoft Root Certificate Program Technical Requirement V2.0 (Microsoft TR V2.0) In INTERMEDIATE / ISSUING CA CERTIFICATES section: Intermediate CA certificates under root certificates submitted for distribution by the Program must be configured to separate server authentication (SSL) from code signing and time stamping uses. A single issuing CA must not be used to issue both server authentication and code signing certificates. Rollover root certificates will not be accepted that combine server authentication with code signing uses unless the uses are separated by application of EKUs at the intermediate CA certificate level that are reflected in the whole certificate chain. Does that means Microsoft will only accept a new root certificate if all its subordinate CA certificates contain the extendedkeyusage extension? It seems Microsoft TR 2.0 intends to require the extendedkeyusage extension present in all subordinate CA certificates even if they are not technically constrained. 5

Microsoft Root Certificate Program Technical Requirement V2.0 (Microsoft TR V2.0) In INTERMEDIATE / ISSUING CA CERTIFICATES section: Intermediate CA certificates under root certificates submitted for distribution by the Program must be configured to separate server authentication (SSL) from code signing and time stamping uses. A single issuing CA must not be used to issue both server authentication and code signing certificates. Rollover root certificates will not be accepted that combine server authentication with code signing uses unless the uses are separated by application of EKUs at the intermediate CA certificate level that are reflected in the whole certificate chain. Does that means Microsoft will only accept a new root certificate if all its subordinate CA certificates contain the extendedkeyusage extension? It seems Microsoft TR 2.0 intends to require the extendedkeyusage extension present in all subordinate CA certificates even if they are not technically constrained. 6

Suggest more Application Software Providers to join CA/Browser Forum We suggest more Application Software Providers to join CA/Browser Forum to promote B.R. Code signing and E.V. code signing Oracle s Java Root Certificate program IBM (IBM s JAVA SDK) Adobe (They charged USD$7,500 annual fee for Adobe Approved Trust List) 7

8 Value Creator for Investors, Customers, Employees, and Society Thank you! 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information