Skip to content

Latest commit

 

History

History
37 lines (30 loc) · 3.13 KB

changelog.md

File metadata and controls

37 lines (30 loc) · 3.13 KB
Raw

FPKI Lint Change Log

Updated: 01/12/2024

Updates and modifications

  • Updated version numbers for Common-SSP v2.1, 2.2, and FBCA v2.0 to correct version.
  • Updated dropdown list to reflect correct version number.
  • Updated each more_info_url to the url of profile's PDF document.

Common Profile v2.2

Profiles Affected Common Profile Changes
All profiles except Worksheet 1 Authority Information Access & Certificate Revocation List Distribution Point - Require HTTP URI first
All profiles except worksheet 1 Authority Information Access - Allow .cer
All Profiles DN Encoding: Allow only printableString and/or UTF8
Worksheet 1-3
  • Key Usage - Remove digital signature and non-repudiation bits from CA profiles
  • Removes ability to perform direct OCSP signing by a CA; delegated OCSP signing only
Worksheet 6-11, 16-17 Allow Subject Directory Attributes (e.g., citizenship)
Worksheet 3 Cross Certificate:
  • Clarify appropriate use of requireExplicitPolicy
  • inhibitPolicyMapping, Offer distinction from the Intermediate CA Certificate profile (new)
Worksheet 4 Intermediate Certificate (new profile):
  • Prohibit policy mappings
  • Policy constraints are optional
  • Subject Information Access extension is required, unless the CA certificate includes path length constraint of 0
Worksheet 13 OCSP Responder Certificate, EKU must be marked critical
Worksheet 8,9 Signature Certificates and Key Management Certificates
  • For PIV, id-kp-emailProtection must be included
  • rfc822Name is required if id-kp-emailProtection is asserted in Extended Key Usage

Bridge Profile v2.0

Profiles Affected Bridge Profile Changes
Worksheet 8, 9
  • Profiles under PIV-I should be merged with FBCA as new profiles
  • Worksheet 9 (PIV-I Authentication Certificate change
  • Delete the following profiles (do not merge with FBCA):
    • PIV-I Signature profile
    • PIV-I Key Management Profile
    • PIV-I Self Signed
    • PIV-I Cross Certificate PIVA-I
Worksheet 4-7 and Worksheet 10-17 Several new profiles were drafted to include:
  • Intermediate/Signing CA Certificate
  • Authentication Certificate (non-PIV-I)
  • Device Certificate
All except Worksheet 1
  • Authority Information Access & Certificate Revocation List
  • Distribution Point - Require HTTP URI first
All except Worksheet 1 Authority Information Access - Allow .cer
All Worksheets DN Encoding: Allow only printableString and/or UTF8
Worksheet 6,7,11,16 Optionally allow Subject Directory Attributes (e.g., citizenship) for authentication certificates (General, PIV-I, PIV-I card authentication)
Worksheet 3, 4 Cross Certificate Clarify appropriate use of requireExplicitPolicy and inhibitPolicyMapping
Worksheet 13 OCSP Responder Certificate EKU must be marked critical
None Section 8 References – removed and FBCA CP Appendix D is linked