<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 20, 2017, at 12:09 PM, Jacob Hoffman-Andrews <<a href="mailto:jsha@letsencrypt.org" class="">jsha@letsencrypt.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">I support this idea, for the same reasons Peter mentioned. We'd like to be able to issue certificates for hostnames >64 characters, which means that the hostname can't be included in the Subject CN. Since that would leave the Subject empty, which causes interoperability problems, we need some attribute that is legal to include in Subject when doing Domain Validation. DN Qualifier seems reasonably well-suited to the purpose.<div class="gmail_extra"><br class=""><div class="gmail_quote">On Sun, Mar 19, 2017 at 4:28 PM, Peter Bowen via Public <span dir="ltr" class=""><<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Certificate Field: subject:qnQualifier (OID: 2.5.4.46) )<br class=""></blockquote><div class=""> </div><div class="">I think this was a small typo and Peter meant to write dnQualifier here</div></div></div></div></div></blockquote><div><br class=""></div><div>Correct. This should be subject:dnQualifier</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Optional.<br class="">
Contents: This field is intended to be used when several certificates with the same subject can be partitioned into sets of related certificates. Each related certificate set ough to have the same dnQualifier. The CA may include a dnQualifier attribute with a zero length value to explicitly indicate that the CA makes no assertion about relationship with other certificates with the same subject. The CA MAY wish to set the dnQualifer value to the base64 encoding of the SHA1 hash of the subjectAlternativeName extnValue if it wishes to indicate grouping of certificates by alternative name set.<br class=""></blockquote><div class=""><br class=""></div><div class="">Any reason for SHA1 here over SHA2? I realize the security properties here are not important, but using an older hash always triggers a bit of a code smell.</div></div></div></div>
</div></blockquote><br class=""></div><div>I was modeling this after the KeyId extensions. I’m happy with most any option here given that it is a “may wish to”.</div><br class=""></body></html>