<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 28, 2017 at 10:20 AM, Bruce Morton via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="m_3937483973768920127WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Gerv,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">For CNs for Subordinate CAs, the ballot states “This field MUST be present and the contents MUST be an identifier for the certificate which is unique across all
certificates issued by the issuing certificate.”<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">In some cases the certificate for a Subordinate CA may be reissued. In this case the Subject Name should stay the same, so the CN should not change. I haven’t
figured out alternative language, but I think it should imply that the CN is unique per each Subordinate CA and not unique per certificate.</span></p></div></div></blockquote><div><br></div><div>While arguably something for a separate ballot, I do hope you and others will think of clear technical reasons why that's desirable, as opposed to issuing a newly-named subordinate and transitionining issuance to that.</div><div><br></div><div>Significant complexities and challenges can be introduced by the approach you describe, and it would be useful (and again, not for this ballot) to explicitly prohibit it. However, if that has unintended consequences (where the intended consequence is a significant simplification for clients and relying party/subscribers as to configuration and security), it would be good to be ruminating on them.</div></div></div></div>