Clean up usage of the "Certificate Profile" Defined Term

[CBonnell]

The conversation for draft ballot SC-75 indicated that the BRs are not consistent in defining "Certificate Profile" vs. how it is used.

Namely, it is defined as a configuration or document that implements a profile for certificates that conform to section 7 of the TLS BRs. However, in several places, it is used to reference the profile requirements in section 7 themselves. The latter type of usage is inconsistent with the definition and should be corrected.

[github-actions[bot]]

This issue was created based on:

• TLS BR Version 2.0.5
• EVG Version 2.0.1

[timfromdigicert]

Honestly, I actually think Section 7 does in fact have certificate profiles. After all, the title of 7.1 is "Certificate profile", and that section and title come directly from RFC 3647. But yes, it does make things horribly ambiguous. For example, the following is a valid sentence in my head:

"All of DigiCert's certificate profiles that allow the ServerAuth EKU also comply with the relevant certificate profile in section 7 of 'Baseline Requirements for I&M of publicly-trusted TLS Server Certficates'"

I think what people want is a distinction between the concept of "issuance profiles" which is some sort of policy or configuration information that describes what a particular CA does / does not issue, and the technical compliance requirements for all trusted CAs. They are of course closely related, but never the same, unless you buy the argument that it's ok to just copy Section 7 into your CPS, even if you don't do everything it describes. I know some CAs where arguing in Shanghai that that was ok, and whether it is is one of the things we'd have to address if we decide we want to distinguish between the actual issuance practices of a CA, as described by a profile, and the technical compliance requirements, as described by a profile.

So I think there's more subtlety in cleaning this up than the discussion in the other conversation considered.