Ballot 105 – Technical Constraints for Subordinate Certificate Authorities Yielding Broader and Safer PKI Adoption.

Ballot overview

• Ballot 105, Technical Constraints for Subordinate Certificate Authorities Yielding Broader and Safer PKI Adoption, is marked Passed.
• The motion was made by Steve Roylance and endorsed by Gervase Markham from Mozilla and Stephen Davidson from QuoVadis.
• The ballot proposes amendments to the Baseline Requirements to clarify external audits for Subordinate CAs, define Technically Constrained Subordinate CA Certificates, and describe how technical constraints can be implemented using EKU and Name Constraints.

Main requirements described in the motion

• Subordinate CA certificates that are considered Technically Constrained must include an EKU extension specifying all extended key usages the certificate is authorized to issue.
• If a Subordinate CA certificate includes id-kp-serverAuth, it must also include Name Constraints covering dNSName, iPAddress, and DirectoryName as described in the motion.
• If a Subordinate CA is not allowed to issue iPAddress certificates, it must exclude the full IPv4 and IPv6 ranges in excludedSubtrees.
• If a Subordinate CA is not allowed to issue dNSNames, it must include a zero-length dNSName in excludedSubtrees.
• The ballot adds audit language stating that certificates capable of issuing new certificates must either be Technically Constrained and audited under section 17.9 only, or be Unconstrained and fully audited under the remaining section 17 requirements.
• The ballot adds a quarterly quality assessment requirement for Technically Constrained Subordinate CAs during the period they issue certificates.

OCSP and audit-related changes

• The ballot amends the non-issued certificate OCSP rule so that, effective 1 August 2013, OCSP responders for CAs that are not Technically Constrained must not respond with a good status for certificates that have not been issued.
• The ballot also clarifies that technically constrained subordinate CAs may be audited under section 17.9 only, while unconstrained issuing CAs remain subject to the full audit requirements.

Timing stated in the ballot

• The review period was to commence on July 15th, 2013 and close on July 22nd, 2013.
• The voting period was to start immediately after the review period and close at July 29, 2013.
• The motion text also says effective immediately for the proposed changes, but the ballot separately gives a specific effective date for the OCSP responder requirement.

Scope and applicability

• The motion states that the requirements are applicable to all Certification Authorities within a chain of trust and are to be flowed down from the Root Certification Authority through successive Subordinate Certification Authorities.
• The technical constraints language applies to Subordinate CA Certificates considered Technically Constrained under section 9.7.
• The OCSP responder restriction applies only to CAs which are not Technically Constrained in line with section 9.7.