Opened 6 years ago

Last modified 6 years ago

#154 new enhancement

CSR extension to convey a certificate subscriber's CT preferences to the CA

Reported by: rob.stradling@… Owned by: rob.stradling@…
Priority: major Milestone:
Component: to-be-decided Version:
Severity: - Keywords:
Cc:

Description

Some certificate subscribers might want to communicate various CT-related things to the CA. For example...

  • Please generate a Precertificate and then embed SCTs in the certificate.
  • I'm using OCSP Stapling; please embed SCTs in OCSP Responses for this certificate.
  • Please embed inclusion proofs (rather than SCTs) in the certificate; I accept that this will delay issuance of the certificate.
  • Please embed SCTs from as many logs as possible.
  • Please embed SCTs from logs X, Y and Z, and not from logs A, B or C.
  • Please do _not_ log this certificate to any logs; I accept that some TLS clients may reject the certificate due to CT non-compliance.

Some CAs might permit these sorts of details to be specified in a <form> on a webpage when the subscriber requests the certificate. That's great, but it probably won't work for everyone.
In particular, putting this information in a CSR extension would make it possible to tunnel it through ACME or via a certificate reseller.

(I'm assigning this ticket to the rfc6962-bis component for now, but I see no particular reason why it couldn't be punted to some other document. I don't want this ticket to delay WGLC for 6962-bis).

Change History (4)

comment:1 Changed 6 years ago by benl@…

Agree this should probably be a different doc.

comment:2 Changed 6 years ago by rob.stradling@…

The OID 1.3.101.79 has been reserved for this proposed CSR extension.

comment:3 Changed 6 years ago by rob.stradling@…

Certificate subscribers will also need to be able to communicate name redaction requirements to CAs. One way to do that would be to require the CSR to have:

  • all of the required domain name(s) in a SAN extension.
  • a corresponding "redacted labels" extension (OID 1.3.101.77, with syntax as defined by 6962-bis).

comment:4 Changed 6 years ago by melinda.shore@…

  • Component changed from rfc6962-bis to to-be-decided
Note: See TracTickets for help on using tickets.