<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">In this particular case, because issued certificates contain the subject name from the issuer, you could argue that issuance from a CA without a subject name is no longer allowed—7.1.4.1 says that the issuer name must match the subject name of the issuer (of course!), and that brings the issuer's name into scope at the time of issuance. This is different from other properties of the issuer’s certificate, like the algorithm it is signed with or its expiry date, because those don’t propagate to the issued certificate.</div><div class=""><br class=""></div><div class="">Or not. You can make arguments either way.</div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On 4 May 2017, at 1:06 pm, Ryan Sleevi <<a href="mailto:sleevi@google.com" class="">sleevi@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">How so? The Ballot only applies to the profile of the issuance of roots/sub-CAs, not from.<div class=""><br class=""></div><div class="">If it applied to from, the existing BRs would already rule out a number of members' roots and intermediates :)<br class=""><div class=""><br class=""></div></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, May 4, 2017 at 4:04 PM, Geoff Keating <span dir="ltr" class=""><<a href="mailto:geoffk@apple.com" target="_blank" class="">geoffk@apple.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><br class=""><div class=""><span class=""><blockquote type="cite" class=""><div class="">On 4 May 2017, at 12:30 pm, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>> wrote:</div><br class="m_7516727140871036370Apple-interchange-newline"><div class=""><div dir="ltr" class="">Kirk raised that, but it does not seem to be a founded concern.<br class=""><div class=""><br class=""></div><div class="">1) That requirement applies to all certificates issued against the current BRs</div><div class="">2) The BRs do not retroactively invalidate - or, especially in the case of Ballot 197 - approve - certificate issuance.</div><div class=""><br class=""></div><div class="">A CA has always and only been obligated to state compliance with the in-force BRs with respect to issuance and its activities.</div></div></div></blockquote><div class=""><br class=""></div></span><div class="">In this context, saying the BRs apply to ‘all certificates issued’ might mean that you could no longer issue a certificate against a root without a common name, and so cannot renew any sub-CAs.</div><span class=""><br class=""><blockquote type="cite" class=""><div class="gmail_extra"><div class="gmail_quote">On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <span dir="ltr" class=""><<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple" class="">
<div class="m_7516727140871036370m_-6447053817377038652WordSection1"><p class="MsoNormal"><span style="color:#1f497d" class="">Gerv, could we also request explicit forward-looking language? Kirk raised the concern about whether this applies to existing roots and intermediates. We have a root issued in 1997 that does not have a common
name. Some interpretations have been discussed, but we would strongly prefer that this be written into this change for clear future interpretations.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="color:#1f497d" class="">If I may:<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="color:#1f497d" class="">7.1.4.3. Subject Information – Root Certificates and Subordinate CA Certificates<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="color:#1f497d" class="">When issuing a Root Certificate or Subordinate CA Certificate, the CA represents that it followed the procedure set forth in its Certificate Policy and/or Certification Practice Statement to verify that, as of
the Certificate’s issuance date, all of the Subject Information was accurate and included the content required by this section.</span></p></div></div></blockquote></div></div></blockquote></span></div></div></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></body></html>