Skip to content

Bring profiles into the modern day #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bring profiles into the modern day #307

wants to merge 1 commit into from

Conversation

@aarongable
Copy link
Contributor

@aarongable aarongable commented Oct 15, 2025
edited
Loading

Overhaul Section 7.1 Profiles, with two goals in mind:

  • Removing deprecated pieces of our profiles, such as OCSP and the Internet Security Research Group Organization Name.
  • Giving them the same format as the profiles in Section 7.1 of the Baseline Requirements.

Fixes #188
Fixes #304

@aarongable aarongable force-pushed the aarongable-patch-1 branch 3 times, most recently from 1ab9196 to db8ac38 Compare October 15, 2025 22:34
@aarongable
Bring profiles into the modern day
be0fc31 
Overhaul Section 7.1 Profiles, with two goals in mind:
- Removing deprecated pieces of our profiles, such as OCSP and the `Internet Security Research Group` Organization Name.
- Giving them the same format as the profiles in Section 7.1 of the Baseline Requirements.

Fixes #188
Fixes #304
@aarongable aarongable marked this pull request as ready for review October 15, 2025 22:41
@aarongable
Copy link
Contributor Author

aarongable commented Oct 15, 2025

Preview the result here: https://github.com/letsencrypt/cp-cps/blob/aarongable-patch-1/CP-CPS.md#7-certificate-crl-and-ocsp-profiles

@jsha
Copy link
Contributor

jsha commented Nov 6, 2025

Diffing the Root CA Certificate section against the corresponding section in the BRs:

  • For version, the BRs say "MUST be v3(2)" in the table; this branch refers out to a section.
  • issuer: the branch carries over "meaningful CN", but that's not in the BRs. I'd recommend deleting it. Also, the branch says just "ISRG" but some pre-existing roots still spell out "Internet Security Research Group"; I think it makes sense to include both here.
  • validity: the BRs refer out to a section; we inline it. Since a goal of this is closely matching the BRs, probably better to put our rules in a section to.
  • subject: the language here says it's byte-for-byte identical to issuer, but the BRs have it the other way around: issuer is described as byte-for-byte identical to subject, and subject has the naming description.
  • subjectKeyIdentifier - I think this is calculated differently for our old vs new roots and we should include both methods here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andygabby andygabby Awaiting requested review from andygabby

@bdaehlie bdaehlie Awaiting requested review from bdaehlie

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clean up profiles to remove old-style optional fields Update Section 7 to reflect the structure of v2.0.0 of the BRs

3 participants

@aarongable @jsha