Skip to content

Bring profiles into the modern day #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Bring profiles into the modern day #307

wants to merge 2 commits into from

Conversation

@aarongable
Copy link
Contributor

@aarongable aarongable commented Oct 15, 2025
edited
Loading

Overhaul Section 7.1 Profiles, with two goals in mind:

  • Removing deprecated pieces of our profiles, such as OCSP and the Internet Security Research Group Organization Name.
  • Giving them the same format as the profiles in Section 7.1 of the Baseline Requirements.

Fixes #188
Fixes #304

@aarongable aarongable force-pushed the aarongable-patch-1 branch 3 times, most recently from 1ab9196 to db8ac38 Compare October 15, 2025 22:34
@aarongable
Bring profiles into the modern day
be0fc31 
Overhaul Section 7.1 Profiles, with two goals in mind:
- Removing deprecated pieces of our profiles, such as OCSP and the `Internet Security Research Group` Organization Name.
- Giving them the same format as the profiles in Section 7.1 of the Baseline Requirements.

Fixes #188
Fixes #304
@aarongable aarongable marked this pull request as ready for review October 15, 2025 22:41
@aarongable
Copy link
Contributor Author

aarongable commented Oct 15, 2025

Preview the result here: https://github.com/letsencrypt/cp-cps/blob/aarongable-patch-1/CP-CPS.md#7-certificate-crl-and-ocsp-profiles

@jsha
Copy link
Contributor

jsha commented Nov 6, 2025

Diffing the Root CA Certificate section against the corresponding section in the BRs:

  • For version, the BRs say "MUST be v3(2)" in the table; this branch refers out to a section.
  • issuer: the branch carries over "meaningful CN", but that's not in the BRs. I'd recommend deleting it. Also, the branch says just "ISRG" but some pre-existing roots still spell out "Internet Security Research Group"; I think it makes sense to include both here.
  • validity: the BRs refer out to a section; we inline it. Since a goal of this is closely matching the BRs, probably better to put our rules in a section to.
  • subject: the language here says it's byte-for-byte identical to issuer, but the BRs have it the other way around: issuer is described as byte-for-byte identical to subject, and subject has the naming description.
  • subjectKeyIdentifier - I think this is calculated differently for our old vs new roots and we should include both methods here.

@aarongable
Copy link
Contributor Author

aarongable commented Nov 7, 2025

Diffing the Root CA Certificate section against the corresponding section in the BRs:

  • For version, the BRs say "MUST be v3(2)" in the table; this branch refers out to a section.

Yes, that's because we don't want to say the same thing in multiple places. The BRs, on the other hand, are happy to do so: they repeat the same "MUST be v3" language in both 7.1.1 and 7.1.2.x.

  • issuer: the branch carries over "meaningful CN", but that's not in the BRs. I'd recommend deleting it. Also, the branch says just "ISRG" but some pre-existing roots still spell out "Internet Security Research Group"; I think it makes sense to include both here.

Good point re: "meaningful"; I think we should replace it with "unique" since that's what the BRs ask for: "The contents SHOULD be an identifier for the certificate such that the certificate's Name is unique across all certificates issued by the issuing certificate."

I specifically removed all aspects of these profiles that pertain to our old root and intermediate certificates. Although we are still using them, they were issued under an older version of our CP/CPS, and therefore still comply. The CP/CPS, like the BRs, governs the certificates we issue, not the ones we happen to be using.

  • validity: the BRs refer out to a section; we inline it. Since a goal of this is closely matching the BRs, probably better to put our rules in a section to.

I previously agreed with this stance, and tried to break everything out into sections like the BRs do. It felt even more confusing, because the BRs subsections are in arbitrary orders (since some are unique to specific profiles, while others are shared across profiles), and we cannot match the BRs sub-sub-subsection numbering. I think that this simplified, inlined version is actually easier to cross-reference with the BRs, due to only having to jump around within one doc, rather than both.

  • subject: the language here says it's byte-for-byte identical to issuer, but the BRs have it the other way around: issuer is described as byte-for-byte identical to subject, and subject has the naming description.

Good point, I'll reverse it.

  • subjectKeyIdentifier - I think this is calculated differently for our old vs new roots and we should include both methods here.

See reply above about not describing our old issuance practices anymore.

@aarongable
Review comments
9787631 
- Flip the statments about Root CA issuer and subject.
- Replace "meaningful" with "unique" when describing subject CN.
@aarongable aarongable mentioned this pull request Nov 8, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andygabby andygabby Awaiting requested review from andygabby

@bdaehlie bdaehlie Awaiting requested review from bdaehlie

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clean up profiles to remove old-style optional fields Update Section 7 to reflect the structure of v2.0.0 of the BRs

3 participants

@aarongable @jsha